When OpenSSL adds new protocols we still need new code to support
exclusion of new protocols. Nothing in "TLS_KNOWN_PROTOCOLS" changes
that.
The "TLS_KNOWN_PROTOCOLS" bitmask supports conversion of:
smtp_tls_protocols = TLSv1
to the equivalent (for Postfix 2.9 or earlier)
smtp_tls_protocols = !SSLv2, !SSLv3
With Postfix 2.10 (patched as proposed), the equivalent exclusion
form is:
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1_1, !TLSv1_2
so the mapping from a set to its complement, naturally depends on
the universal set at hand.
Dropping the inclusion syntax creates a backwards compatibility
problem.
I am not sure why you feel there is an imperative to drop it. If
we don't want to implement features to disable new protocols, we
don't need to make any code changes. If we do want to allow
control over new protocols, we need new code, with our without
TLS_KNOWN_PROTOCOLS.
--
Viktor.