diff -r 843df550b465 -r 5edc5acecc83 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Thu May 05 00:35:45 2016 -0700
+++ b/mercurial/sslutil.py	Thu May 05 00:37:28 2016 -0700
@@ -329,6 +329,19 @@
                           (host, nicefingerprint))
             return
 
+        # If insecure connections were explicitly requested via --insecure,
+        # print a warning and do no verification.
+        #
+        # It may seem odd that this is checked *after* host fingerprint pinning.
+        # This is for backwards compatibility (for now). The message is also
+        # the same as below for BC.
+        if self.ui.insecureconnections:
+            self.ui.warn(_('warning: %s certificate with fingerprint %s not '
+                           'verified (check hostfingerprints or web.cacerts '
+                           'config setting)\n') %
+                         (host, nicefingerprint))
+            return
+
         # No pinned fingerprint. Establish trust by looking at the CAs.
         cacerts = self.ui.config('web', 'cacerts')
         if cacerts != '!':