tls: enhance error message handling to prevent corrupted OpenSSL errors

Addresses CodeRabbit suggestion from GitHub PR #10850 discussion_r2329667784.

The original fix correctly handled SSL_ERROR_SYSCALL but still had an issue
where SSL_get_error() classification codes (like SSL_ERROR_SYSCALL=5) were
being incorrectly passed to ERR_error_string_n(), which expects actual
OpenSSL error queue codes. This caused corrupted error messages like
"error:00000005:lib(0):func(0):DH lib".

This enhancement:
- Uses ERR_peek_last_error() to get actual OpenSSL error codes from the queue
- Only calls ERR_error_string_n() with valid OpenSSL error codes
- Falls back to logging the SSL error classification number when no queue error exists
- Provides cleaner, more informative TLS error messages

Combined with the original SSL_ERROR_SYSCALL errno=0 fix, this resolves both
the race condition crashes and the error message corruption issues.

References: #10850 (comment)

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: sandervandegeijn

src/tls/openssl.c

@@ -1192,8 +1192,16 @@ static int tls_net_handshake(struct flb_tls *tls,
                 }
             }
             else {
-                ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
-                flb_error("[tls] error: %s", err_buf);
+                /* Get the actual OpenSSL error from queue instead of SSL_get_error() classification */
+                unsigned long err_code = ERR_peek_last_error();
+                if (err_code != 0) {
+                    ERR_error_string_n(err_code, err_buf, sizeof(err_buf)-1);
+                    flb_error("[tls] error: %s", err_buf);
+                }
+                else {
+                    /* No OpenSSL error in queue, log the SSL error classification */
+                    flb_error("[tls] unknown SSL error (class: %d)", ret);
+                }
             }
 
             pthread_mutex_unlock(&ctx->mutex);