Add a test that DTLS does not support RC4.

Make sure we don't break that on accident.

Change-Id: I22d58d35170d43375622fe61e4a588d1d626a054
Reviewed-on: https://boringssl-review.googlesource.com/4960
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 864f526..feef551 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -723,6 +723,9 @@
 	// PackHandshakeRecords, if true, causes handshake records to be packed
 	// into individual packets, up to the specified packet size.
 	PackHandshakeRecords int
+
+	// EnableAllCiphersInDTLS, if true, causes RC4 to be enabled in DTLS.
+	EnableAllCiphersInDTLS bool
 }
 
 func (c *Config) serverInit() {
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 1f9e84f..0c5df73 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -115,7 +115,7 @@
 				continue
 			}
 			// Don't advertise non-DTLS cipher suites on DTLS.
-			if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
+			if c.isDTLS && suite.flags&suiteNoDTLS != 0 && !c.config.Bugs.EnableAllCiphersInDTLS {
 				continue
 			}
 			hello.cipherSuites = append(hello.cipherSuites, suiteId)
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 6c0d294..40d8e7d 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1116,6 +1116,19 @@
 			},
 		},
 	},
+	{
+		testType: serverTest,
+		protocol: dtls,
+		name:     "NoRC4-DTLS",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_RC4_128_SHA},
+			Bugs: ProtocolBugs{
+				EnableAllCiphersInDTLS: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":NO_SHARED_CIPHER:",
+	},
 }
 
 func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {