CA-404460: Expose Stunnel_verify_error for mismatched or corrupted certificate, and expose ssl_verify_error during update syncing (#6376)

Pls refer to commit msg for details

Author: gangj

ocaml/libs/stunnel/stunnel.ml

@@ -478,20 +478,30 @@ let check_verify_error line =
   let split_1 c s =
     match Astring.String.cut ~sep:c s with Some (x, _) -> x | None -> s
   in
-  if Astring.String.is_infix ~affix:"VERIFY ERROR: " line then
-    match Astring.String.find_sub ~sub:"error=" line with
+  (* When verified with a mismatched certificate, one line of log from stunnel
+   * would look like:
+     SSL_connect: ssl/statem/statem_clnt.c:1889: error:0A000086:SSL routines::certificate verify failed
+   * in this case, Stunnel_verify_error can be raised with detailed error as
+   * reason if it can found in the log *)
+  if Astring.String.is_infix ~affix:"certificate verify failed" line then
+    match Astring.String.find_sub ~sub:"error:" line with
     | Some e ->
         raise
           (Stunnel_verify_error
-             (split_1 "," (sub_after (e + String.length "error=") line))
+             (split_1 "," (sub_after (e + String.length "error:") line))
           )
     | None ->
         raise (Stunnel_verify_error "")
+  else if
+    Astring.String.is_infix ~affix:"No certificate or private key specified"
+      line
+  then
+    raise (Stunnel_verify_error "The specified certificate is corrupt")
   else
     ()
 
 let check_error s line =
-  if Astring.String.is_infix ~affix:line s then
+  if Astring.String.is_infix ~affix:s line then
     raise (Stunnel_error s)
 
 let diagnose_failure st_proc =

ocaml/xapi/repository.ml

@@ -306,6 +306,8 @@ let sync ~__context ~self ~token ~token_id ~username ~password =
   with
   | Api_errors.Server_error (_, _) as e ->
       raise e
+  | Stunnel.Stunnel_verify_error reason ->
+      raise (Api_errors.Server_error (Api_errors.ssl_verify_error, [reason]))
   | e ->
       error "Failed to sync with remote YUM repository: %s"
         (ExnHelper.string_of_exn e) ;