Unable to connect to google cloud apis with Java 12

McGin :

After an attempt to update to JDK12 I'm unable to connect to Google Cloud APIs due to SSL handshake errors when using the google cloud client libraries. This worked fine for me with Java 11, and swapping back in JDK 11 runtime resolves the issue.

This is the output from my application when I attempt to authenticate with gcloud with -Djavax.net.debug=ssl:handshake:verbose set.

[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.438 UTC|Utilities.java:73|the previous server name in SNI (type=host_name (0), value=oauth2.googleapis.com) was replaced with (type=host_name (0), value=oauth2.googleapis.com)
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.445 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.450 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.450 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|ALL|1A|Gax-1|2019-05-15 16:27:19.466 UTC|SignatureScheme.java:358|Ignore disabled signature scheme: rsa_md5
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|INFO|1A|Gax-1|2019-05-15 16:27:19.466 UTC|AlpnExtension.java:161|No available application protocols
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.466 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.467 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: cookie
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.483 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.484 UTC|PreSharedKeyExtension.java:633|No session to resume.
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.485 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.494 UTC|ClientHello.java:653|Produced ClientHello handshake message (
[native-api-5bc89d67bc-dfsvq] "ClientHello": {
[native-api-5bc89d67bc-dfsvq]   "client version"      : "TLSv1.2",
[native-api-5bc89d67bc-dfsvq]   "random"              : "53 EF 41 BD B0 D5 8A 6F F6 1C 59 19 80 20 A0 A3 29 37 AD 10 C0 3E 7C 4E AD E7 AF 4F F5 C5 35 1E",
[native-api-5bc89d67bc-dfsvq]   "session id"          : "76 C9 9B 84 D6 9E BB 06 A3 B0 5A C1 08 05 29 9E 80 A7 43 10 9E B1 87 88 5F F1 9B 97 84 12 F6 AE",
[native-api-5bc89d67bc-dfsvq]   "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
[native-api-5bc89d67bc-dfsvq]   "compression methods" : "00",
[native-api-5bc89d67bc-dfsvq]   "extensions"          : [
[native-api-5bc89d67bc-dfsvq]     "server_name (0)": {
[native-api-5bc89d67bc-dfsvq]       type=host_name (0), value=oauth2.googleapis.com
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "status_request (5)": {
[native-api-5bc89d67bc-dfsvq]       "certificate status type": ocsp
[native-api-5bc89d67bc-dfsvq]       "OCSP status request": {
[native-api-5bc89d67bc-dfsvq]         "responder_id": <empty>
[native-api-5bc89d67bc-dfsvq]         "request extensions": {
[native-api-5bc89d67bc-dfsvq]           <empty>
[native-api-5bc89d67bc-dfsvq]         }
[native-api-5bc89d67bc-dfsvq]       }
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "supported_groups (10)": {
[native-api-5bc89d67bc-dfsvq]       "versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "ec_point_formats (11)": {
[native-api-5bc89d67bc-dfsvq]       "formats": [uncompressed]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "signature_algorithms (13)": {
[native-api-5bc89d67bc-dfsvq]       "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "signature_algorithms_cert (50)": {
[native-api-5bc89d67bc-dfsvq]       "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "status_request_v2 (17)": {
[native-api-5bc89d67bc-dfsvq]       "cert status request": {
[native-api-5bc89d67bc-dfsvq]         "certificate status type": ocsp_multi
[native-api-5bc89d67bc-dfsvq]         "OCSP status request": {
[native-api-5bc89d67bc-dfsvq]           "responder_id": <empty>
[native-api-5bc89d67bc-dfsvq]           "request extensions": {
[native-api-5bc89d67bc-dfsvq]             <empty>
[native-api-5bc89d67bc-dfsvq]           }
[native-api-5bc89d67bc-dfsvq]         }
[native-api-5bc89d67bc-dfsvq]       }
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "extended_master_secret (23)": {
[native-api-5bc89d67bc-dfsvq]       <empty>
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "supported_versions (43)": {
[native-api-5bc89d67bc-dfsvq]       "versions": [TLSv1.3, TLSv1.2]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "psk_key_exchange_modes (45)": {
[native-api-5bc89d67bc-dfsvq]       "ke_modes": [psk_dhe_ke]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "key_share (51)": {
[native-api-5bc89d67bc-dfsvq]       "client_shares": [
[native-api-5bc89d67bc-dfsvq]         {
[native-api-5bc89d67bc-dfsvq]           "named group": ffdhe2048
[native-api-5bc89d67bc-dfsvq]           "key_exchange": {
[native-api-5bc89d67bc-dfsvq]             .....
[native-api-5bc89d67bc-dfsvq]           }
[native-api-5bc89d67bc-dfsvq]         },
[native-api-5bc89d67bc-dfsvq]       ]
[native-api-5bc89d67bc-dfsvq]     }
[native-api-5bc89d67bc-dfsvq]   ]
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.496 UTC|Alert.java:238|Received alert message (
[native-api-5bc89d67bc-dfsvq] "Alert": {
[native-api-5bc89d67bc-dfsvq]   "level"      : "fatal",
[native-api-5bc89d67bc-dfsvq]   "description": "handshake_failure"
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|ERROR|1A|Gax-1|2019-05-15 16:27:19.500 UTC|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
[native-api-5bc89d67bc-dfsvq] "throwable" : {
[native-api-5bc89d67bc-dfsvq]   javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1356)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1331)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:242)
[native-api-5bc89d67bc-dfsvq]       at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:113)
[native-api-5bc89d67bc-dfsvq]       at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84)
[native-api-5bc89d67bc-dfsvq]       at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1040)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:399)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:181)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:167)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.Credentials.blockingGetToCallback(Credentials.java:113)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.Credentials$1.run(Credentials.java:99)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.lang.Thread.run(Thread.java:835)}
[native-api-5bc89d67bc-dfsvq]
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.500 UTC|SSLSocketImpl.java:1389|close the underlying socket
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.500 UTC|SSLSocketImpl.java:1408|close the SSL connection (initiative)

Some detail on my environment

$ java Ciphers # see https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html
Default Cipher
*   TLS_AES_128_GCM_SHA256
*   TLS_AES_256_GCM_SHA384
*   TLS_CHACHA20_POLY1305_SHA256
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
*   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
*   TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*   TLS_RSA_WITH_AES_128_CBC_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA256
*   TLS_RSA_WITH_AES_128_GCM_SHA256
*   TLS_RSA_WITH_AES_256_CBC_SHA
*   TLS_RSA_WITH_AES_256_CBC_SHA256
*   TLS_RSA_WITH_AES_256_GCM_SHA384

$ java --version
openjdk 12.0.1 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12)
OpenJDK 64-Bit Server VM (build 12.0.1+12, mixed mode)

$ java --list-modules
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

This is what nmap is telling me about the google cloud api

$ nmap -sV --script ssl-enum-ciphers -p 443 oauth2.googleapis.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 17:02 BST
Nmap scan report for oauth2.googleapis.com (216.58.198.170)
Host is up (0.0036s latency).
Other addresses for oauth2.googleapis.com (not scanned): 172.217.169.42 172.217.169.74 216.58.210.202 216.58.206.74 216.58.213.106 216.58.206.138 216.58.212.74 216.58.204.42 216.58.211.170 216.58.204.74
rDNS record for 216.58.198.170: lhr25s10-in-f10.1e100.net

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https gws
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
|     Date: Wed, 15 May 2019 16:03:08 GMT
|     Expires: -1
|     Cache-Control: private, max-age=0
|     Content-Type: text/html; charset=ISO-8859-1
|     P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
|     Server: gws
|     X-XSS-Protection: 0
|     X-Frame-Options: SAMEORIGIN
|     Set-Cookie: 1P_JAR=2019-05-15-16; expires=Fri, 14-Jun-2019 16:03:08 GMT; path=/; domain=.google.com
|     Set-Cookie: NID=183=YYh48j3880NJp7Imev2IuA6fbZh2XB92x0D3woXT1l1aOhSgvVdNElia3mL7IBtyYDp7cShGyWcN0qcDkXNqKuA2S0cEpm122vmlrifWE0oeur1eeLovYqpvS4typQhxJMKagpV93VHW6avhd4F_5mGJSjaPgCNzhVFlJEdCGfA; expires=Thu, 14-Nov-2019 16:03:08 GMT; path=/; domain=.google.com; HttpOnly
|     Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
|     Accept-Ranges: none
|     Vary: Accept-Encoding
|     <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Ty
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: GET, HEAD
|     Date: Wed, 15 May 2019 16:03:08 GMT
|     Content-Type: text/html; charset=UTF-8
|     Server: gws
|     Content-Length: 1592
|     X-XSS-Protection: 0
|     X-Frame-Options: SAMEORIGIN
|     Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
|     <!DOCTYPE html>
|     <html lang=en>
|     <meta charset=utf-8>
|     <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
|     <title>Error 405 (Method Not Allowed)!!1</title>
|     <style>
|_    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:n
| http-server-header:
|   ESF
|_  gws
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.70%T=SSL%I=7%D=5/15%Time=5CDC383C%P=x86_64-apple-darwin
SF:17.3.0%r(GetRequest,4BF6,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2015
SF:\x20May\x202019\x2016:03:08\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\
SF:x20private,\x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-
SF:8859-1\r\nP3P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20policy!\x20See\
SF:x20g\.co/p3phelp\x20for\x20more\x20info\.\"\r\nServer:\x20gws\r\nX-XSS-
SF:Protection:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSet-Cookie:\x201P
SF:_JAR=2019-05-15-16;\x20expires=Fri,\x2014-Jun-2019\x2016:03:08\x20GMT;\
SF:x20path=/;\x20domain=\.google\.com\r\nSet-Cookie:\x20NID=183=YYh48j3880
SF:NJp7Imev2IuA6fbZh2XB92x0D3woXT1l1aOhSgvVdNElia3mL7IBtyYDp7cShGyWcN0qcDk
SF:XNqKuA2S0cEpm122vmlrifWE0oeur1eeLovYqpvS4typQhxJMKagpV93VHW6avhd4F_5mGJ
SF:SjaPgCNzhVFlJEdCGfA;\x20expires=Thu,\x2014-Nov-2019\x2016:03:08\x20GMT;
SF:\x20path=/;\x20domain=\.google\.com;\x20HttpOnly\r\nAlt-Svc:\x20quic=\"
SF::443\";\x20ma=2592000;\x20v=\"46,44,43,39\"\r\nAccept-Ranges:\x20none\r
SF:\nVary:\x20Accept-Encoding\r\n\r\n<!doctype\x20html><html\x20itemscope=
SF:\"\"\x20itemtype=\"http://schema\.org/WebPage\"\x20lang=\"en-GB\"><head
SF:><meta\x20content=\"text/html;\x20charset=UTF-8\"\x20http-equiv=\"Conte
SF:nt-Ty")%r(HTTPOptions,742,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed
SF:\r\nAllow:\x20GET,\x20HEAD\r\nDate:\x20Wed,\x2015\x20May\x202019\x2016:
SF:03:08\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nServer:
SF:\x20gws\r\nContent-Length:\x201592\r\nX-XSS-Protection:\x200\r\nX-Frame
SF:-Options:\x20SAMEORIGIN\r\nAlt-Svc:\x20quic=\":443\";\x20ma=2592000;\x2
SF:0v=\"46,44,43,39\"\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=en>\n\x20\x
SF:20<meta\x20charset=utf-8>\n\x20\x20<meta\x20name=viewport\x20content=\"
SF:initial-scale=1,\x20minimum-scale=1,\x20width=device-width\">\n\x20\x20
SF:<title>Error\x20405\x20\(Method\x20Not\x20Allowed\)!!1</title>\n\x20\x2
SF:0<style>\n\x20\x20\x20\x20\*{margin:0;padding:0}html,code{font:15px/22p
SF:x\x20arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
SF:{margin:7%\x20auto\x200;max-width:390px;min-height:180px;padding:30px\x
SF:200\x2015px}\*\x20>\x20body{background:url\(//www\.google\.com/images/e
SF:rrors/robot\.png\)\x20100%\x205px\x20no-repeat;padding-right:205px}p{ma
SF:rgin:11px\x200\x2022px;overflow:hidden}ins{color:#777;text-decoration:n
SF:one}a\x20img{border:0}@media\x20screen\x20and\x20\(max-width:772px\){bo
SF:dy{background:n");

McGin :

The cause was a missing module jdk.crypto.cryptoki

The runtime I was using was generated like so:

     jlink \
        --add-modules java.base,java.logging,java.xml,jdk.unsupported,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument,jdk.management,java.net.http \
        --module-path $(find $JAVA_HOME -name lib -type d) \
        --output ~/jre

Fix is simply to include the jdk.crypto.cryptoki module in the runtime JRE. I'm not clear why this is necessary for JDK12 but not JDK11 (I do the same thing for both)

     jlink \
        --add-modules java.base,java.logging,java.xml,jdk.unsupported,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument,jdk.management,java.net.http,jdk.crypto.cryptoki \
        --module-path $(find $JAVA_HOME -name lib -type d) \
        --output ~/jre