diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 07a1c1d66..643c71b24 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -255,6 +255,15 @@ struct tls_named_group {
 #define __tls_named_group( pref )					\
 	__table_entry ( TLS_NAMED_GROUPS, pref )
 
+/** Declare a TLS anonymous named group */
+#define __tls_anon_named_group __tls_named_group ( 98 )
+
+/** Number of non-anonymous TLS named groups */
+#define TLS_NUM_NAMED_GROUPS						\
+	( ( unsigned int )						\
+	  ( __table_entries ( TLS_NAMED_GROUPS, 97 )			\
+	    - table_start ( TLS_NAMED_GROUPS ) ) )
+
 /** A TLS cipher specification */
 struct tls_cipherspec {
 	/** Cipher suite */
diff --git a/src/net/tls.c b/src/net/tls.c
index 632ed2f4b..41d50287e 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -993,9 +993,6 @@ tls_find_signature_hash ( unsigned int code ) {
  ******************************************************************************
  */
 
-/** Number of supported named key exchange groups */
-#define TLS_NUM_NAMED_GROUPS table_num_entries ( TLS_NAMED_GROUPS )
-
 /**
  * Identify named key exchange group
  *
@@ -1008,7 +1005,7 @@ tls_find_named_group ( unsigned int named_group ) {
 
 	/* Identify named group */
 	for_each_table_entry ( group, TLS_NAMED_GROUPS ) {
-		if ( group->code == named_group )
+		if ( group->code && ( group->code == named_group ) )
 			return group;
 	}
 
@@ -1252,8 +1249,11 @@ static int tls_client_hello ( struct tls_connection *tls,
 			= htons ( sizeof ( named_group_ext->data ) );
 		named_group_ext->data.len
 			= htons ( sizeof ( named_group_ext->data.code ) );
-		i = 0 ; for_each_table_entry ( group, TLS_NAMED_GROUPS )
-			named_group_ext->data.code[i++] = group->code;
+		i = 0 ; for_each_table_entry ( group, TLS_NAMED_GROUPS ) {
+			if ( group->code )
+				named_group_ext->data.code[i++] = group->code;
+		}
+		assert ( i == TLS_NUM_NAMED_GROUPS );
 	}
 
 	return action ( tls, &hello, sizeof ( hello ) );