Cyberduck Mountain Duck CLI

Contributions to this help are welcome! This is a Wiki, you can edit the pages. Below is the content displayed from the English page.

Cyberduck Help / Howto / WebDAV

You can connect to any WebDAV compliant server using both HTTP and HTTP/SSL. Mutual TLS with a client certificate for authentication is supported.


Settings specific to service providers. Use the provided connection profiles.

Supported Authentication Methods

HTTP Basic Authentiation

Basic Authentication should only be used when using secured connection over TLS (HTTPS).

HTTP Digest Authentication

Both HTTP Basic Authentication and Digest Authentication are supported.

NTLM Authentication

Used when connecting to Sharepoint using WebDAV.

Integrated Windows Authentication (IWA)

SSL/TLS support

Choose WebDAV (HTTP/SSL) as the connection protocol to secure the connection using SSL.

Mutual TLS

Mutual (two-way) TLS with a client certificate for authentication is supported.

Prompt to authenticate with certificate when negotiating secure (TLS) connection

When a server requests a client certificate for authentication, a prompt is displayed to choose a certificate with a private key that matches the given issuer name requested from the server. Matching certificates are searched for in the Keychain on OS X or the Windows Certificate Manager respectively.

Select client certificate in bookmark

  • You can also pre-select a certificate to use for authentication when editing the bookmark.

WebDAV Bookmark Client Certificate

Trust Certificate

If the certificate is not trusted by the system, you are asked to make an exception if you still want to connect to the site that cannot be verified. This failure during certificate trust verification is most often the case when the certificate is invalid either

  • Because the hostname does not match the common name in the certificate. You will get the error message You might be connecting to a server that is pretending to be….
  • The certificate is self signed or signed by a root authority not trusted in the system.
  • The certificate is expired.

You can temporarily or permanently allow to connect nevertheless by choosing Continue. To remember your choice, select Always Trust….


You can edit custom properties using File → Info → Metadata.


  • Cyberduck Files are not locked when editing with Cyberduck.
  • Mountain Duck supports locking using LOCK and UNLOCK methods when opening documents for editing. Refer to File Locking.

Distribution (CDN)

You can enable custom origin Amazon CloudFront (Content Delivery Network) distribution using File → Info → Distribution (CDN).


Refer to Sharepoint to connect using WebDAV.

Subversion (SVN) Repositories

You can access publicly readable Subversion (SVN) repositories running behind mod_dav_svn of Apache httpd using anonymous WebDAV (HTTP) access with Cyberduck. For example the Cyberduck Source Code Repository.


Cannot login with special characters in credentials

If your server requires the use of UTF-8 character set for authenticatio, set the hidden configuration option


Interoperability failure Handshake alert: unrecognized_name

The virtual host setup by the hosting provider is most possibly misconfigured. It must accept TLS connections with SNI (Server Name Indication) extension (RFC 4366). The hostname must match the common name in the server certificate. In Apache httpd configurations, add a ServerAlias configuration directive with the hostname you use to connect.

You can verify the wrong server setup with running openssl with server name indication (SNI) enabled.

openssl s_client -servername <servername> -tlsextdebug -msg -connect <servername>:443

This will print

<<< TLS 1.0 Alert [length 0002], warning unrecognized_name

during the handshake if there is a configuration problem.

See also #7908.

Disable Expect: 100-continue

The Expect: 100-continue to make sure a server accepts an upload before data is sent. You can disable the use of this feature when there is an interoperability issue by setting the hidden option webdav.expect-continue to false.

Socket timeout with GZIP content encoding

Some servers (cPanel) have invalid return GZIP encoded content. This error may not bee seen with other clients that do not enable content compression. An invalid HTTP response status line is sent and the content size does not match the content length set. As a workaround, you can disable support for content compression. Set the hidden option http.compression.enable to false.

Require Directive in Apache HTTPD

The Require directive in Apache HTTPD tests whether an authenticated user is authorized according to a particular authorization provider and the specified restrictions. You should configure it to return a 403 HTTP status code when authorization fails using the AuthzSendForbiddenOnFailure directive. Refer to mod_authz_core.

If authentication succeeds but authorization fails, Apache HTTPD will respond with an HTTP response code of '401 UNAUTHORIZED' by default. This usually causes browsers to display the password dialogue to the user again, which is not wanted in all situations. AuthzSendForbiddenOnFailure allows to change the response code to '403 FORBIDDEN'.

Last modified on Oct 8, 2010 at 10:48:35 AM Last modified on Oct 8, 2010 10:48:35 AM
swiss made software