fix(ext/node): fix TLS client certificate authentication verification (#33576)

## Summary

Fixes several issues in the `node:tls` client certificate authentication
flow:

- **PEM header normalization**: `BEGIN TRUSTED CERTIFICATE` and `BEGIN
X509 CERTIFICATE` headers are now normalized to `BEGIN CERTIFICATE`
before parsing (both client and server configs), matching OpenSSL
behavior
- **X.509v1 chain verification**: Instead of blindly accepting v1 certs
(which bypassed all chain verification), we now do structural chain
checking via issuer/subject DER matching -- valid chains pass, broken
chains produce the correct Node/OpenSSL error codes
- **Client cert rejection flow**:
`NodeClientCertVerifier::verify_client_cert` now always succeeds the TLS
handshake, storing errors for the JS layer (`onServerSocketSecure`) to
handle rejection via `this.destroy()`, producing `ECONNRESET` on the
client instead of a TLS fatal alert, matching Node.js behavior
- **TLS alert mapping**: Added `CertificateRequired` alert mapping with
version-aware logic (TLS 1.2 maps to `SSLV3_ALERT_HANDSHAKE_FAILURE` to
match OpenSSL)
- **Error code accuracy**: Fixed `UNABLE_TO_GET_ISSUER_CERT_LOCALLY` vs
`UNABLE_TO_VERIFY_LEAF_SIGNATURE` distinction based on whether explicit
CAs were provided