--- a/mercurial/sslutil.py	Wed Jun 29 19:37:38 2016 -0700
+++ b/mercurial/sslutil.py	Wed Jun 29 19:38:24 2016 -0700
@@ -154,11 +154,13 @@
     # matters. No need to validate CA certs.
     if s['certfingerprints']:
         s['verifymode'] = ssl.CERT_NONE
+        s['allowloaddefaultcerts'] = False
 
     # If --insecure is used, don't take CAs into consideration.
     elif ui.insecureconnections:
         s['disablecertverification'] = True
         s['verifymode'] = ssl.CERT_NONE
+        s['allowloaddefaultcerts'] = False
 
     if ui.configbool('devel', 'disableloaddefaultcerts'):
         s['allowloaddefaultcerts'] = False