diff -r bc5f55493397 -r 1b3a0b0c414f mercurial/sslutil.py
--- a/mercurial/sslutil.py	Tue May 31 19:21:08 2016 -0700
+++ b/mercurial/sslutil.py	Sat Jun 04 11:16:08 2016 -0700
@@ -377,14 +377,8 @@
     def fmtfingerprint(s):
         return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)])
 
-    legacyfingerprint = fmtfingerprint(peerfingerprints['sha1'])
     nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256'])
 
-    if settings['legacyfingerprint']:
-        section = 'hostfingerprint'
-    else:
-        section = 'hostsecurity'
-
     if settings['certfingerprints']:
         for hash, fingerprint in settings['certfingerprints']:
             if peerfingerprints[hash].lower() == fingerprint:
@@ -392,8 +386,15 @@
                          (host, hash, fmtfingerprint(fingerprint)))
                 return
 
+        # Pinned fingerprint didn't match. This is a fatal error.
+        if settings['legacyfingerprint']:
+            section = 'hostfingerprint'
+            nice = fmtfingerprint(peerfingerprints['sha1'])
+        else:
+            section = 'hostsecurity'
+            nice = '%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash]))
         raise error.Abort(_('certificate for %s has unexpected '
-                            'fingerprint %s') % (host, legacyfingerprint),
+                            'fingerprint %s') % (host, nice),
                           hint=_('check %s configuration') % section)
 
     if not sock._hgstate['caloaded']: