diff --git a/lib/krb5/context.c b/lib/krb5/context.c
index bd1afd261..514eca3be 100644
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -422,13 +422,17 @@ krb5_free_config_files(char **filenames)
 }
 
 /*
- * set `etype' to a malloced list of the default enctypes
+ * Returns the list of Kerberos encryption types sorted in order of
+ * most preferred to least preferred encryption type.  The array ends
+ * with ETYPE_NULL.  Note that some encryption types might be
+ * disabled, so you need to check with krb5_enctype_valid() before
+ * using the encryption type.
  */
 
-static krb5_error_code
-default_etypes(krb5_context context, krb5_enctype **etype)
+const krb5_enctype * KRB5_LIB_FUNCTION
+krb5_kerberos_enctypes(krb5_context context)
 {
-    krb5_enctype p[] = {
+    static const krb5_enctype p[] = {
 	ETYPE_AES256_CTS_HMAC_SHA1_96,
 	ETYPE_AES128_CTS_HMAC_SHA1_96,
 	ETYPE_DES3_CBC_SHA1,
@@ -436,12 +440,26 @@ default_etypes(krb5_context context, krb5_enctype **etype)
 	ETYPE_ARCFOUR_HMAC_MD5,
 	ETYPE_DES_CBC_MD5,
 	ETYPE_DES_CBC_MD4,
-	ETYPE_DES_CBC_CRC
+	ETYPE_DES_CBC_CRC,
+	ETYPE_NULL
     };
+    return p;
+}
+
+/*
+ * set `etype' to a malloced list of the default enctypes
+ */
+
+static krb5_error_code
+default_etypes(krb5_context context, krb5_enctype **etype)
+{
+    const krb5_enctype *p;
     krb5_enctype *e = NULL, *ep;
     int i, n = 0;
 
-    for (i = 0; i < sizeof(p)/sizeof(p[0]); i++) {
+    p = krb5_kerberos_enctypes(context);
+
+    for (i = 0; p[i] != ETYPE_NULL; i++) {
 	if (krb5_enctype_valid(context, p[i]) != 0)
 	    continue;
 	ep = realloc(e, (n + 2) * sizeof(*e));