Marble Blast Platinum Support

We encourage you first of all to find solutions to your problem in this section's threads. If you do not thus find any solution, please take account of the following:

If you have a problem which prevents you from playing Marble Blast Platinum, please create a new thread on this board with a description of your problem as title. In your post please indicate the computer involved (Mac/PC, operating system).

If in playing Marble Blast Platinum you discover a bug, please post in the Community found Bugs/Mistakes sub-board.

If you need hints for the Marble Blast Platinum game, please post in the Hints, Videos and other Tips sub-board.

file For players on a very old macOS (like 10.11 old): Accessing Online

  • HiGuy
  • HiGuy's Avatar Topic Author
  • Offline
  • Lead Developer
  • Lead Developer
  • PQ Developer Emeritus
  • Posts: 1333
  • Thank you received: 604
09 Apr 2020 04:47 - 02 Dec 2022 08:11 #1
On old versions of macOS, PQ cannot verify the HTTPS/TLS for marbleblast.com because the system's root cert for Cloudflare (who do our TLS) is expired. Basically this means that you cannot play online because the game cannot verify that our server is legit.

If you experience this, you can add the following to the end of platinum/client/mbpPrefs.cs:
Code:
$pref::SSL::VerifyPeer = 0;

This will make your game stop trying to check that marbleblast.com is verified and connect anyway. Note this opens you to man-in-the-middle attacks on your network, but if you're still running macOS 10.9 you've got bigger security problems...

This signature is real code
Code:
function clientcmd12dothepq() { commandToClient(LocalClientConnection, '34onthedancefloor'); }
Last edit: 02 Dec 2022 08:11 by HiGuy. Reason: What year is it
The following user(s) said Thank You: NF, Myrus

Please Log in or Create an account to join the conversation.

  • Posts: 3
  • Thank you received: 0
23 May 2020 07:16 - 31 May 2020 04:44 #2
I don't think it's a root cert issue per se since Baltimore CyberTrust is indeed present in keychain and works fine in Chrome (which uses the native certs, unlike Firefox which bundles its own). Interestingly though Safari doesn't validate the chain despite the cert appearing to validate fine in the info pane as mentioned in [1]. Native curl doesn't like the chain either.

Aside from your mentioned workaround, you might consider shipping openssl with its own cert bundle and a libcurl built against that.

[1] community.cloudflare.com/t/safari-6-0-3-...ers-works-fine/48534

Edit: Chrome seems to have a more robust implementation of certificate verification [2] that also accounts for some flaws in OS X/Security.framework. The only special case for Baltimore certs is about one cross-signed by GTE CyberTrust (which did expire in 2018). Cloudflare only sends up to the ECC CA-3 intermediate though so that issue shouldn't apply (and validation still fails even with GTE deleted), so I'm still not quite sure why curl (and safari) don't validate. Curl & Safari seem to use apple's native secure transport implementation over openssl, so I'm guessing the issue lies somewhere there – looking at curl source as an example, it directly calls into secure transport's SSLHandshake() and relies on the system's cert verification rather than manually verifying the cert chain via the SecTrust* apis as Chrome does.

[2] chromium.googlesource.com/chromium/chrom...rify_proc_mac.cc#442

Edit: Oh that chromium source code is long out of date. The newer version of cert verification [3] has a much better comment
Code:
OS X lacks proper path discovery; it will take the input certs and never // backtrack the graph attempting to discover valid paths. // This can create issues in some situations: // - When OS X changes the trust store, there may be a chain // A -> B -> C -> D // where OS X trusts D (on some versions) and trusts C (on some versions). // If a server supplies a chain A, B, C (cross-signed by D), then this chain // will successfully validate on systems that trust D, but fail for systems // that trust C. If the server supplies a chain of A -> B, then it forces // all clients to fetch C (via AIA) if they trust D, and not all clients // (notably, Firefox and Android) will do this, thus breaking them. // An example of this is the Verizon Business Services root - GTE CyberTrust // and Baltimore CyberTrust roots represent old and new roots that cause // issues depending on which version of OS X being used. // // - A server may be (misconfigured) to send an expired intermediate // certificate. On platforms with path discovery, the graph traversal // will back up to immediately before this intermediate, and then // attempt an AIA fetch or retrieval from local store. However, OS X // does not do this, and thus prevents access. While this is ostensibly // a server misconfiguration issue, the fact that it works on other // platforms is a jarring inconsistency for users. // // - When OS X trusts both C and D (simultaneously), it's possible that the // version of C signed by D is signed using a weak algorithm (e.g. SHA-1), // while the version of C in the trust store's signature doesn't matter. // Since a 'strong' chain exists, it would be desirable to prefer this // chain. // // - A variant of the above example, it may be that the version of B sent by // the server is signed using a weak algorithm, but the version of B // present in the AIA of A is signed using a strong algorithm. Since a // 'strong' chain exists, it would be desirable to prefer this chain. // // - A user keychain may contain a less desirable intermediate or root. // OS X gives the user keychains higher priority than the system keychain, // so it may build a weak chain. // // Because of this, the code below first attempts to validate the peer's // identity using the supplied chain. If it is not trusted (e.g. the OS only // trusts C, but the version of C signed by D was sent, and D is not trusted), // or if it contains a weak chain, it will begin lopping off certificates // from the end of the chain and attempting to verify. If a stronger, trusted // chain is found, it is used, otherwise, the algorithm continues until only // the peer's certificate remains. // // If the loop does not find a trusted chain, the loop will be repeated with // the keychain search order altered to give priority to the System Roots // keychain. // // This does cause a performance hit for these users, but only in cases where // OS X is building weaker chains than desired, or when it would otherwise // fail the connection.

Again, none of those conditions seem to apply directly; it'd still be quite interesting to find out why these chains in particular fail.

[3] chromium.googlesource.com/chromium/src/+...t_verify_proc_mac.cc
Last edit: 31 May 2020 04:44 by krackers.

Please Log in or Create an account to join the conversation.

  • Posts: 905
  • Thank you received: 406
17 Jul 2022 19:42 #3
I believe this is now required for any version of macOS before 10.12. I have a 2014 Mac mini running macOS 10.10, and I can't get online in PQ. So I tried this fix, but then when I clicked online the game froze, so even this wouldn't work. Is there any way to fix this or do I have to upgrade to 10.12? I really don't want to do that because that Mac mini is so dumb that it will run incredibly slowly on anything higher than 10.10 (or 10.11 at a stretch).

I mean, the real solution would be to just get a 2018 Mac mini, but that costs money and I don't want to do that. I just want to play PQ online on my Mac mini, since that's where I play MBG right now.

Please Log in or Create an account to join the conversation.

  • HiGuy
  • HiGuy's Avatar Topic Author
  • Offline
  • Lead Developer
  • Lead Developer
  • PQ Developer Emeritus
  • Posts: 1333
  • Thank you received: 604
20 Jul 2022 07:49 #4
That could very well be the case. I can't confirm anything myself as my 10.9 machine was the Thistle server and it's no longer running. If you try opening a terminal and running "curl marbleblast.com" does it print the homepage correctly? That should be a good indicator if curl works, and PQ uses curl to do networking internally.

It could be a different bug since the build process has changed since I was the one uploading versions. I'm not sure if RandomityGuy is targeting 10.7 with the same compiler as I did, so that could have introduced incompatibilities in the process. If you've got an old copy <= 2.4.1, try that and see if it crashes in a similar manner.

This signature is real code
Code:
function clientcmd12dothepq() { commandToClient(LocalClientConnection, '34onthedancefloor'); }

Please Log in or Create an account to join the conversation.

  • Posts: 905
  • Thank you received: 406
20 Jul 2022 20:38 #5
Running "curl marbleblast.com " works properly, but running "curl marbleblast.com" does not. Maybe that has something to do with it.

Pretty sure I'm just going to get a 2018 Mac mini soon anyway, but if that doesn't happen then am I out of luck? I think it did used to work before 2.4.1 though. I can't test it since I don't have an old version, but it was relatively recently that it broke.

Please Log in or Create an account to join the conversation.

  • Posts: 25
  • Thank you received: 3
20 Jul 2022 20:48 #6
I could send you my 2.3.34 copy but I’m pretty sure you have to have pq at the latest edition for it to run online functions.

Please Log in or Create an account to join the conversation.

  • Posts: 905
  • Thank you received: 406
28 Nov 2022 00:57 - 28 Nov 2022 01:02 #7
I guess it didn't display correctly—in Terminal, running
Code:
curl https://marbleblast.com
works properly, but running
Code:
curl marbleblast.com
does not. Also I'm currently typing this on macOS 10.10 on that same Mac mini, with Safari 10.1.2, so this version loads the website just fine but still can't play PQ online? I don't know what that's about, but I hope there's a fix somehow, because playing on WINE is murder (6 FPS on Winterfest levels today), so I'd greatly prefer something to work with the Mac mini.

Furthermore, due to the behavior where the game slows down if the frame rate is below 20 FPS, the multiplayer games I was hosting which were supposed to be only 5 minutes long ended up being 8–9 minutes long because of my low frame rate. To me, that feels like behavior that shouldn't happen.
Last edit: 28 Nov 2022 01:02 by NF. Reason: Added the second paragraph

Please Log in or Create an account to join the conversation.

  • HiGuy
  • HiGuy's Avatar Topic Author
  • Offline
  • Lead Developer
  • Lead Developer
  • PQ Developer Emeritus
  • Posts: 1333
  • Thank you received: 604
30 Nov 2022 07:17 - 30 Nov 2022 07:17 #8
What version of curl? Try curl --version

Also try curl -v marbleblast.com and copy anything that comes before the <!doctype html> etc

If you check the console, do you get any error messages in the form(s):

* Request <number> finished with <success/failure>
* HTTP Response code: <number>
* Error info: Code <number>: <text>
* curl_multi_perform failed (<number>): <text>
* curl_easy_perform failed (<number>): <text>
* Could not download <file>: error opening stream.

Also yes, low framerate leading to longer game is known and expected behavior. Just one of the tradeoffs of limiting the tick rate to _something_ so the physics doesn't break.

This signature is real code
Code:
function clientcmd12dothepq() { commandToClient(LocalClientConnection, '34onthedancefloor'); }
Last edit: 30 Nov 2022 07:17 by HiGuy. Reason: forums pls stop eating my url scheme
The following user(s) said Thank You: NF

Please Log in or Create an account to join the conversation.

  • Posts: 905
  • Thank you received: 406
30 Nov 2022 15:12 #9
Well for some reason, at least on 10.10, the trick of adding
Code:
$pref::SSL::VerifyPeer = 0;
works now. I don't know why! Also the website loads properly in Safari 10.1.2, with the https and everything, so I wonder why it can't verify the SSL connection in-game anyway. If I can, I'll test it on 10.7–10.9 and we'll see if the same fix works.

I'm using curl version 7.43.0, and I assume there are no error messages in the console because the game is actually connecting now. I guess the next thing to try is to host a dedicated server on this OS and see if it works.

Please Log in or Create an account to join the conversation.

  • HiGuy
  • HiGuy's Avatar Topic Author
  • Offline
  • Lead Developer
  • Lead Developer
  • PQ Developer Emeritus
  • Posts: 1333
  • Thank you received: 604
01 Dec 2022 07:27 #10
Neat that it Just Worked. Maybe the setting just got reset somehow, I wouldn't be surprised. Safari probably gets updated certs from Apple somehow that aren't being stored in a way that libcurl (in PQ) knows about them. I don't know.

Also, dedicated servers use an entirely different system (game servers are UDP and torque's wacky custom netcode, lbs are TCP/HTTPS). The only stuff dedicated servers use curl for is verifying login sessions (which you can turn off btw, $Server::Offline = true; or something). If your port forward works, then hosting should generally Just Work.

This signature is real code
Code:
function clientcmd12dothepq() { commandToClient(LocalClientConnection, '34onthedancefloor'); }
The following user(s) said Thank You: NF

Please Log in or Create an account to join the conversation.

  • Posts: 905
  • Thank you received: 406
02 Dec 2022 01:11 - 02 Dec 2022 01:13 #11
Well, one thing I did just realize is that the Custom Levels button, and therefore the ability to download and play levels from Marbleland in-game, doesn't work on this old macOS. Unless there's a way to fix it, I guess I'm just going to have to use the dumb WINE version, which gives me 6 FPS when I'm near cannons/scenery, or wait for someone to make a level pack so that I can download it directly from Marbleland.

Also, I recommend you change the title of this topic to "[...] (like 10.11 old) [...]", since 10.12 is the oldest version that can still go online without having to do that fix that you talked about in the first post.
Last edit: 02 Dec 2022 01:13 by NF. Reason: Added suggestion for topic title change

Please Log in or Create an account to join the conversation.

  • HiGuy
  • HiGuy's Avatar Topic Author
  • Offline
  • Lead Developer
  • Lead Developer
  • PQ Developer Emeritus
  • Posts: 1333
  • Thank you received: 604
02 Dec 2022 08:10 #12

NF wrote: Well, one thing I did just realize is that the Custom Levels button, and therefore the ability to download and play levels from Marbleland in-game, doesn't work on this old macOS


Oh whoops i bet the code for that just needs to check the variable. Should be in marbleland.cs somewhere if you're bold enough to go looking. Or ask any of the current dev people, they could find it easily.

And sure I'll change the thread title. It feels weird calling 10.11 old now, even if that was like 7 years ago. I think my mind is permanently stuck in 2017 or something...

This signature is real code
Code:
function clientcmd12dothepq() { commandToClient(LocalClientConnection, '34onthedancefloor'); }

Please Log in or Create an account to join the conversation.

  • Posts: 905
  • Thank you received: 406
02 Dec 2022 15:58 #13
Maybe it feels weird calling 10.11 old because it has the same UI as 10.15? But for me too—it feels like only yesterday that I was installing the brand new macOS 10.11 on my 2014 Mac mini. Or maybe it's because I jumped straight from 10.4 to 10.10, so 10.10 has always felt "new" to me. I don't know.

I'll ask the dev people about it later today or tomorrow when I have more time. Thanks for all your help though!

Please Log in or Create an account to join the conversation.

Moderators: Doomblah
Time to create page: 0.714 seconds
We use cookies

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.