Prevent port scanning of hidden services

If you connect to a hidden service that's listening on virtual port 5222, and send it a begin cell for port 80, it will send you back an end cell but leave the circuit up.

I actually thought the design was more defensive: that if you ever asked for a virtual port that wasn't assigned, then it would close the circuit on you, to prevent scanning to find out what ports are open.

But it turns out I never built it that way. We should fix it.

With thanks to Ivan Pustogarov for noticing.