Does anyone tried TlsParameters in gateway.proto?

I’m working on a small deployment recently with new istio 1.3.3 release, and find out the new options in gateway.proto, doesn’t work the way I want it to be.

the basic gateway setting is very simple, just as below:

  mode: SIMPLE
  minProtocolVersion: TLSV1_0
 maxProtocolVersion: TLSV1_3

Everything looks fine to me, istioctl ps and curl -s localhost:15000/config_dump all report tls_minimum_protocol_version is set as I expect. But when I test it with a legacy curl with --tlsv1 option, request failed with NSS error -5938. Then I set the maxProtocolVersion to TLSV1_1, the request failed even without --tlsv1, and debug output looks like envoy only accept tlsv1.2 or above even if you do set minProtocolVersion as TLSV1_0.