fix: remove server-specific nginx hint from key_exchange FAIL reason

Author: t0kubetsu

README.md

@@ -11,7 +11,7 @@ $ quantumvalidator check cloudflare.com
 ```
 
 ![Python](https://img.shields.io/badge/python-%3E%3D3.11-blue)
-![Tests](https://img.shields.io/badge/tests-205%20passing-brightgreen)
+![Tests](https://img.shields.io/badge/tests-206%20passing-brightgreen)
 ![Coverage](https://img.shields.io/badge/coverage-100%25-brightgreen)
 ![License](https://img.shields.io/badge/license-GPLv3-lightgrey)
 
@@ -280,7 +280,7 @@ pytest tests/test_tls_utils.py
 pytest tests/test_assessor.py::TestAssessHttps -v
 ```
 
-The test suite has **205 tests** and maintains **100% statement coverage**.
+The test suite has **206 tests** and maintains **100% statement coverage**.
 
 All network I/O (`openssl s_client` subprocess) is mocked at the `probe_tls` boundary —
 no test touches a real server or the internet.

quantumvalidator/verdict.py

@@ -98,7 +98,7 @@ def build_checks(
             value=negotiated_group,
             reason=(
                 f"No PQC hybrid group negotiated; got {negotiated_group or 'none'}. "
-                "Configure X25519MLKEM768 support (OpenSSL 3.0+, nginx >= 1.27.1)."
+                "Enable X25519MLKEM768 on the server (requires OpenSSL >= 3.0)."
             ),
             standard="CNSA 2.0, BSI TR-02102-2",
         ))

tests/test_verdict.py

@@ -64,6 +64,12 @@ def test_fail_tls_check_has_standard(self):
         checks = build_checks("TLSv1.2", None)
         assert "CNSA 2.0" in (checks[0].standard or "")
 
+    def test_key_exchange_fail_reason_is_server_agnostic(self):
+        checks = build_checks("TLSv1.3", "X25519")
+        reason = checks[1].reason
+        assert "nginx" not in reason.lower()
+        assert "OpenSSL" in reason
+
 
 class TestDetermineVerdictSsh:
     def test_safe_mlkem768nistp256(self):