--- a/mercurial/sslutil.py	Sat May 28 12:37:36 2016 -0700
+++ b/mercurial/sslutil.py	Sat May 28 12:58:46 2016 -0700
@@ -117,6 +117,8 @@
         # Path to file containing concatenated CA certs. Used by
         # SSLContext.load_verify_locations().
         'cafile': None,
+        # Whether the legacy [hostfingerprints] section has data for this host.
+        'legacyfingerprint': False,
         # ssl.CERT_* constant used by SSLContext.verify_mode.
         'verifymode': None,
     }
@@ -140,6 +142,7 @@
     for fingerprint in ui.configlist('hostfingerprints', hostname, []):
         fingerprint = fingerprint.replace(':', '').lower()
         s['certfingerprints'].append(('sha1', fingerprint))
+        s['legacyfingerprint'] = True
 
     # If a host cert fingerprint is defined, it is the only thing that
     # matters. No need to validate CA certs.
@@ -350,6 +353,11 @@
     nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2]
         for x in range(0, len(peerfingerprints['sha1']), 2)])
 
+    if settings['legacyfingerprint']:
+        section = 'hostfingerprint'
+    else:
+        section = 'hostsecurity'
+
     if settings['certfingerprints']:
         fingerprintmatch = False
         for hash, fingerprint in settings['certfingerprints']:
@@ -359,7 +367,7 @@
         if not fingerprintmatch:
             raise error.Abort(_('certificate for %s has unexpected '
                                'fingerprint %s') % (host, nicefingerprint),
-                             hint=_('check hostfingerprint configuration'))
+                             hint=_('check %s configuration') % section)
         ui.debug('%s certificate matched fingerprint %s\n' %
                  (host, nicefingerprint))
         return
@@ -372,28 +380,28 @@
     # the same as below for BC.
     if ui.insecureconnections:
         ui.warn(_('warning: %s certificate with fingerprint %s not '
-                  'verified (check hostfingerprints or web.cacerts '
+                  'verified (check %s or web.cacerts '
                   'config setting)\n') %
-                (host, nicefingerprint))
+                (host, nicefingerprint, section))
         return
 
     if not sock._hgstate['caloaded']:
         if strict:
             raise error.Abort(_('%s certificate with fingerprint %s not '
                                 'verified') % (host, nicefingerprint),
-                              hint=_('check hostfingerprints or '
-                                     'web.cacerts config setting'))
+                              hint=_('check %s or web.cacerts config '
+                                     'setting') % section)
         else:
             ui.warn(_('warning: %s certificate with fingerprint %s '
-                      'not verified (check hostfingerprints or '
-                      'web.cacerts config setting)\n') %
-                    (host, nicefingerprint))
+                      'not verified (check %s or web.cacerts config '
+                      'setting)\n') %
+                    (host, nicefingerprint, section))
 
         return
 
     msg = _verifycert(peercert2, host)
     if msg:
         raise error.Abort(_('%s certificate error: %s') % (host, msg),
-                         hint=_('configure hostfingerprint %s or use '
+                         hint=_('configure %s %s or use '
                                 '--insecure to connect insecurely') %
-                              nicefingerprint)
+                              (section, nicefingerprint))