certificate validation in SwiftUI App fails

I'm writing an LDAP Browser app using SwiftUI. I tested my LDAP code using a command line app that uses the exact same libraries and it successfully connects to my LDAP server over a TLS connection. I did need to install the CA cert into the system keychain.

The SwiftUI version, using the exact same code and parameters returns an "Unknown CA" error. It works fine without TLS. Can anyone explain why certificate validation is different for a GUI app?

Answered by DTS Engineer in 825597022

If you build OpenLDAP from source then it’s like any other open source library:

  • You can dig into the code yourself to find out what’s going wrong.

  • Or you can seek help via the support resources for that library.

While I have played around with OpenLDAP myself in the past, that experience was so minimal that I don’t have any insight to share on this issue.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

What platform are you targeting for your SwiftUI app? The Mac? Or something else?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

MacOS 15.0

I've also tried the openldap config settings to disable cert validation and to provide a specific CA cert file. Neither seems to have any effect. The openldap library is statically linked into my app. Below is a code fragment of the init function.

public init(url:String = "ldaps://localhost", loginData: Login? = nil, codePage: Iconv.CodePage = .UTF8) throws {

if codePage != .UTF8 {
  // we need a pair of code pages to transit in both directions.
  iconv = try Iconv(from: codePage, to: .UTF8)
  iconvR = try Iconv(from: .UTF8, to: codePage)
}//end if

ldap = OpaquePointer(bitPattern: 0)
  
  //var certOption = LDAP_OPT_X_TLS_NEVER

// var certOption: Int32 = LDAP_OPT_X_TLS_NEVER //
// var r = ldap_set_option(ldap, LDAP_OPT_X_TLS_REQUIRE_CERT,&certOption) // guard r == LDAP_SUCCESS else { // throw Exception.message("TLS NEVER: "+LDAP.error(r)) // }

  var certFile: String  = "/etc/lbCerts/igTreeCA.pem"
  
var  r = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE, certFile)
  guard r == LDAP_SUCCESS else {
         throw Exception.message("TLS CERTFILE: "+LDAP.error(r))
      
     }
  
  
 r = ldap_initialize(&ldap, url)

Are you building OpenLDAP from source? Or using the version built in to macOS?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I built it from source and added the static library to my project using a module map.

If you build OpenLDAP from source then it’s like any other open source library:

  • You can dig into the code yourself to find out what’s going wrong.

  • Or you can seek help via the support resources for that library.

While I have played around with OpenLDAP myself in the past, that experience was so minimal that I don’t have any insight to share on this issue.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

certificate validation in SwiftUI App fails
 
 
Q