swarm: QUIC dial failures are not always fed into the dial limiter

[marten-seemann]

Due to the nature of the TLS 1.3 handshake, it will look like a connection attempt succeed for the client even if the server rejects the client's certificate (for whatever reason).

The handshake looks like this:

> ClientHello
< ServerHello, Certificate, Finished
> Certificate, Finished

If the server dislikes the client's certificate, it will close the connection immediately. However, at this point, the client has already completed the handshake, so the swarm doesn't register this as a failed dial, and doesn't feed that into the dial backoff. This will lead us to dial the same address again. We even do so explicitly in the host:

go-libp2p/p2p/host/basic/basic_host.go

Lines 611 to 626 in 4ad3734

	func (h *BasicHost) NewStream(ctx context.Context, p peer.ID, pids ...protocol.ID) (network.Stream, error) {
	// Ensure we have a connection, with peer addresses resolved by the routing system (#207)
	// It is not sufficient to let the underlying host connect, it will most likely not have
	// any addresses for the peer without any prior connections.
	// If the caller wants to prevent the host from dialing, it should use the NoDial option.
	if nodial, _ := network.GetNoDial(ctx); !nodial {
	err := h.Connect(ctx, peer.AddrInfo{ID: p})
	if err != nil {
	return nil, err
	}
	}
	s, err := h.Network().NewStream(ctx, p)
	if err != nil {
	return nil, err
	}

Maybe we should use a NoDial context on the NewStream call?

This will require us to send error codes: libp2p/specs#479.