Define TLSEXT_nid_unknown

NGINX requires this constant if SSL_get_negotiated_group is defined.
OpenSSL returns this to indicate a named group constant it doesn't
understand, which doesn't make sense out of SSL_get_negotiated_group
because the library wouldn't negotiate a group it doesn't know about.
Nonetheless, define it for compatibility.

Fixed: 615
Change-Id: I05a6d607912bb8507be9ac6ff5fe1699b4715f6b
Commit-Queue: Adam Langley <>
Commit-Queue: David Benjamin <>
Reviewed-by: Adam Langley <>
Auto-Submit: David Benjamin <>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7974b27..1de31e8 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -5268,6 +5268,11 @@
 #define SSL_CURVE_X25519 SSL_GROUP_X25519
 #define SSL_CURVE_X25519_KYBER768_DRAFT00 SSL_GROUP_X25519_KYBER768_DRAFT00
+// TLSEXT_nid_unknown is a constant used in OpenSSL for
+// |SSL_get_negotiated_group| to return an unrecognized group. BoringSSL never
+// returns this value, but we define this constant for compatibility.
+#define TLSEXT_nid_unknown 0x1000000
 // Compliance policy configurations