diff --git a/nova/tests/unit/virt/xenapi/test_agent.py b/nova/tests/unit/virt/xenapi/test_agent.py
index 8c77445c22ae..2848fc288213 100644
--- a/nova/tests/unit/virt/xenapi/test_agent.py
+++ b/nova/tests/unit/virt/xenapi/test_agent.py
@@ -19,6 +19,7 @@ import time
 import mock
 from os_xenapi.client import host_agent
 from os_xenapi.client import XenAPI
+from oslo_concurrency import processutils
 from oslo_utils import uuidutils
 
 from nova import exception
@@ -311,6 +312,19 @@ class SetAdminPasswordTestCase(AgentTestCaseBase):
 
         mock_add_fault.assert_called_once_with(error, mock.ANY)
 
+    @mock.patch('oslo_concurrency.processutils.execute')
+    def test_run_ssl_successful(self, mock_execute):
+        mock_execute.return_value = ('0',
+            '*** WARNING : deprecated key derivation used.'
+            'Using -iter or -pbkdf2 would be better.')
+        agent.SimpleDH()._run_ssl('foo')
+
+    @mock.patch('oslo_concurrency.processutils.execute',
+                side_effect=processutils.ProcessExecutionError(
+                    exit_code=1, stderr=('ERROR: Something bad happened')))
+    def test_run_ssl_failure(self, mock_execute):
+        self.assertRaises(RuntimeError, agent.SimpleDH()._run_ssl, 'foo')
+
 
 class UpgradeRequiredTestCase(test.NoDBTestCase):
     def test_less_than(self):
diff --git a/nova/virt/xenapi/agent.py b/nova/virt/xenapi/agent.py
index d5f060af5d43..e763cc2cfd7a 100644
--- a/nova/virt/xenapi/agent.py
+++ b/nova/virt/xenapi/agent.py
@@ -422,11 +422,18 @@ class SimpleDH(object):
                'pass:%s' % self._shared, '-nosalt']
         if decrypt:
             cmd.append('-d')
-        out, err = processutils.execute(
-            *cmd, process_input=encodeutils.safe_encode(text))
-        if err:
-            raise RuntimeError(_('OpenSSL error: %s') % err)
-        return out
+        try:
+            out, err = processutils.execute(
+                *cmd,
+                process_input=encodeutils.safe_encode(text),
+                check_exit_code=True)
+            if err:
+                LOG.warning("OpenSSL stderr: %s", err)
+            return out
+        except processutils.ProcessExecutionError as e:
+            raise RuntimeError(
+                _('OpenSSL errored with exit code %(exit_code)d: %(stderr)s') %
+                 {'exit_code': e.exit_code, 'stderr': e.stderr})
 
     def encrypt(self, text):
         return self._run_ssl(text).strip('\n')