Nginx SSL configuration: TLS v1.3 cipher suites and ECDH curve

We have an installation of GitLab Community Edition [v17.4.2] on a Debian 12 server.

We updated the configuration for nginx in the config file /etc/gitlab/gitlab.rb, but it seems not all of the properties are actually applied (or not allowed or supported?).

The relevant configuration looks like this:

nginx['enable'] = true

nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:ECDHE-RSA-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:!DSS"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1.3 TLSv1.2"

nginx['ssl_ecdh_curve'] = "secp384r1"
nginx['ssl_conf_command'] = "Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

Now the TLS versions and the allowed ciphers are applied to the effective nginx config in /var/opt/gitlab/nginx/conf after executing "gitlab-ctl reconfigure".

But the curve is not. There is no line with ssl_ecdh_curve in the effective nginx config. Also, i don’t know how the nginx configuration ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 to restrict TLS v1.3 ciphers would be used here or if that is even possible.

Also when I check our site on the qualys ssl lab I can see that the TLSv1.3 cipher TLS_AES_128_GCM_SHA256 is allowed (which we would want to exclude) and that the elliptic curve x25519 is used (instead of secp384r1).

According to the documentation (https://docs.gitlab.com/17.4/ee/security/hardening_configuration_recommendations.html) about hardening it should be possible to at least set ssl_ecdh_curve, but it's not getting applied to the actual configuration.

Are these two things simply not possible, am I doing something wrong here or is this a bug?