diff --git a/sysutils/tmate/Makefile b/sysutils/tmate/Makefile
index b300701cccf0..8e59ad607dfd 100644
--- a/sysutils/tmate/Makefile
+++ b/sysutils/tmate/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	tmate
 PORTVERSION=	2.2.1
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	sysutils
 
 MAINTAINER=	swills@FreeBSD.org
diff --git a/sysutils/tmate/files/patch-options-table.c b/sysutils/tmate/files/patch-options-table.c
new file mode 100644
index 000000000000..4400b5c98455
--- /dev/null
+++ b/sysutils/tmate/files/patch-options-table.c
@@ -0,0 +1,40 @@
+--- options-table.c.orig	2016-03-29 03:30:07 UTC
++++ options-table.c
+@@ -925,15 +925,34 @@ const struct options_table_entry options_table[] = {
+ 	{ .name = "tmate-server-rsa-fingerprint",
+ 	  .type = OPTIONS_TABLE_STRING,
+ 	  .scope = OPTIONS_TABLE_SERVER,
+-	  .default_str = "af:2d:81:c1:fe:49:70:2d:7f:09:a9:d7:4b:32:e3:be"
++	  .default_str = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+ 	},
+ 
+ 	{ .name = "tmate-server-ecdsa-fingerprint",
+ 	  .type = OPTIONS_TABLE_STRING,
+ 	  .scope = OPTIONS_TABLE_SERVER,
+-	  .default_str = "c7:a1:51:36:d2:bb:35:4b:0a:1a:c0:43:97:74:ea:42"
++	  .default_str = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+ 	},
+-
++	{ .name = "tmate-server-dss-fingerprint",
++	  .type = OPTIONS_TABLE_STRING,
++	  .scope = OPTIONS_TABLE_SERVER,
++	  .default_str = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
++	},
++	{ .name = "tmate-server-ed25519-fingerprint",
++	  .type = OPTIONS_TABLE_STRING,
++	  .scope = OPTIONS_TABLE_SERVER,
++	  .default_str = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
++	},
++	{ .name = "tmate-server-dss-cert01-fingerprint",
++	  .type = OPTIONS_TABLE_STRING,
++	  .scope = OPTIONS_TABLE_SERVER,
++	  .default_str = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
++	},
++	{ .name = "tmate-server-rsa-cert01-fingerprint",
++	  .type = OPTIONS_TABLE_STRING,
++	  .scope = OPTIONS_TABLE_SERVER,
++	  .default_str = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
++	},
+ 	{ .name = "tmate-display-time",
+ 	  .type = OPTIONS_TABLE_NUMBER,
+ 	  .scope = OPTIONS_TABLE_SESSION,
diff --git a/sysutils/tmate/files/patch-tmate-ssh-client.c b/sysutils/tmate/files/patch-tmate-ssh-client.c
index 73d28cefa8e5..0e6b0d88a27b 100644
--- a/sysutils/tmate/files/patch-tmate-ssh-client.c
+++ b/sysutils/tmate/files/patch-tmate-ssh-client.c
@@ -8,3 +8,95 @@
  
  #include "tmate.h"
  #include "window-copy.h"
+@@ -195,6 +196,7 @@ static void on_ssh_client_event(struct tmate_ssh_clien
+ 	ssize_t hash_len;
+ 	char *hash_str;
+ 	const char *server_hash_str;
++	const char *key_type_name;
+ 	int match;
+ 
+ 	int verbosity = SSH_LOG_NOLOG + log_get_level();
+@@ -257,43 +259,80 @@ static void on_ssh_client_event(struct tmate_ssh_clien
+ 		}
+ 
+ 	case SSH_AUTH_SERVER:
++		tmate_debug("Starting SSH_AUTH_SERVER");
+ 		if (ssh_get_publickey(session, &pubkey) < 0)
+ 			tmate_fatal("ssh_get_publickey");
+ 
+-		if (ssh_get_publickey_hash(pubkey, SSH_PUBLICKEY_HASH_MD5, &hash, &hash_len) < 0) {
++		if (ssh_get_publickey_hash(pubkey, SSH_PUBLICKEY_HASH_SHA1, &hash, &hash_len) < 0) {
++			tmate_debug("failed to get public key hash");
+ 			kill_ssh_client(client, "Cannot authenticate server");
+ 			return;
+ 		}
++		tmate_debug("got public key hash");
+ 
+ 		hash_str = ssh_get_hexa(hash, hash_len);
+ 		if (!hash_str)
+ 			tmate_fatal("malloc failed");
+ 
+ 		key_type = ssh_key_type(pubkey);
++		key_type_name = ssh_key_type_to_char(key_type);
++		if (key_type_name == NULL) {
++			tmate_debug("failed to get public key type name");
++			return;
++		}
+ 
+ 		switch (key_type) {
+ 		case SSH_KEYTYPE_RSA:
+ 			server_hash_str = options_get_string(global_options,
+ 						"tmate-server-rsa-fingerprint");
++			tmate_debug("found rsa fingerprint");
+ 			break;
+ 		case SSH_KEYTYPE_ECDSA:
+ 			server_hash_str = options_get_string(global_options,
+ 						"tmate-server-ecdsa-fingerprint");
++			tmate_debug("found ecdsa fingerprint");
+ 			break;
++		case SSH_KEYTYPE_DSS:
++			server_hash_str = options_get_string(global_options,
++						"tmate-server-dss-fingerprint");
++			tmate_debug("found dss fingerprint");
++			break;
++		case SSH_KEYTYPE_ED25519:
++			server_hash_str = options_get_string(global_options,
++						"tmate-server-ed25519-fingerprint");
++			tmate_debug("found ed25519 fingerprint");
++			break;
++		case SSH_KEYTYPE_DSS_CERT01:
++			server_hash_str = options_get_string(global_options,
++						"tmate-server-dss-cert01-fingerprint");
++			tmate_debug("found dss_cert01 fingerprint");
++			break;
++		case SSH_KEYTYPE_RSA_CERT01:
++			server_hash_str = options_get_string(global_options,
++						"tmate-server-rsa-cert01-fingerprint");
++			tmate_debug("found rsa_cert01 fingerprint");
++			break;
++		case SSH_KEYTYPE_UNKNOWN:
++			tmate_debug("found unknown fingerprint?");
++			break;
+ 		default:
+ 			server_hash_str = "";
++			tmate_debug("found no fingerprint?");
+ 		}
+ 
+ 		match = !strcmp(hash_str, server_hash_str);
+ 
+ 		ssh_key_free(pubkey);
+ 		ssh_clean_pubkey_hash(&hash);
+-		free(hash_str);
+ 
+ 		if (!match) {
+-			kill_ssh_client(client, "Cannot authenticate server");
++			tmate_debug("Key mismatch: type: %s expected: %s found: %s", key_type_name, server_hash_str, hash_str);
++			kill_ssh_client(client, "Cannot authenticate server: Key mismatch: type: %s expected: %s found: %s", key_type_name, server_hash_str, hash_str);
++			free(hash_str);
+ 			return;
+ 		}
++
++		free(hash_str);
+ 
+ 		/*
+ 		 * At this point, we abort other connection attempts to the