Negative coverage: unsupported cipher suites

[gilles-peskine-arm]

We mostly don't test what happens if a peer tries to negotiate a cipher suite that isn't supported, either because Mbed TLS doesn't implement it or because it's disabled at compile time.

The goal of this issue is to add systematic testing that covers at least all the cipher suites that Mbed TLS can support, and one more. Run an OpenSSL/GnuTLS client/server with a forced cipher suite against an Mbed TLS peer that doesn't support that cipher suite, and check that the handshake fails gracefully.

We already have code to enumerate cipher suites and attempt a key exchange in compat.sh, so that seems the natural place for such tests. Instead of arranging not to try unsupported cipher suites, we should try everything that GnuTLS and OpenSSL support, but expect a handshake failure if Mbed TLS doesn't support the cipher suite.