No se puede conectar a las API de Google en la nube con Java 12

McGin:

Después de un intento de actualización de jdk12 Soy incapaz de conectar con Google Cloud API debido a errores de protocolo de enlace SSL cuando se utilizan las bibliotecas de cliente de Google en la nube. Esta bien que funcionó para mí con Java 11, y el trueque de nuevo en tiempo de ejecución 11 JDK resuelve el problema.

Esta es la salida de mi solicitud cuando intento para autenticarse con gcloud con -Djavax.net.debug=ssl:handshake:verboseset.

[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.438 UTC|Utilities.java:73|the previous server name in SNI (type=host_name (0), value=oauth2.googleapis.com) was replaced with (type=host_name (0), value=oauth2.googleapis.com)
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.445 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.450 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.450 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|ALL|1A|Gax-1|2019-05-15 16:27:19.466 UTC|SignatureScheme.java:358|Ignore disabled signature scheme: rsa_md5
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|INFO|1A|Gax-1|2019-05-15 16:27:19.466 UTC|AlpnExtension.java:161|No available application protocols
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.466 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.467 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: cookie
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.483 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.484 UTC|PreSharedKeyExtension.java:633|No session to resume.
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.485 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.494 UTC|ClientHello.java:653|Produced ClientHello handshake message (
[native-api-5bc89d67bc-dfsvq] "ClientHello": {
[native-api-5bc89d67bc-dfsvq]   "client version"      : "TLSv1.2",
[native-api-5bc89d67bc-dfsvq]   "random"              : "53 EF 41 BD B0 D5 8A 6F F6 1C 59 19 80 20 A0 A3 29 37 AD 10 C0 3E 7C 4E AD E7 AF 4F F5 C5 35 1E",
[native-api-5bc89d67bc-dfsvq]   "session id"          : "76 C9 9B 84 D6 9E BB 06 A3 B0 5A C1 08 05 29 9E 80 A7 43 10 9E B1 87 88 5F F1 9B 97 84 12 F6 AE",
[native-api-5bc89d67bc-dfsvq]   "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
[native-api-5bc89d67bc-dfsvq]   "compression methods" : "00",
[native-api-5bc89d67bc-dfsvq]   "extensions"          : [
[native-api-5bc89d67bc-dfsvq]     "server_name (0)": {
[native-api-5bc89d67bc-dfsvq]       type=host_name (0), value=oauth2.googleapis.com
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "status_request (5)": {
[native-api-5bc89d67bc-dfsvq]       "certificate status type": ocsp
[native-api-5bc89d67bc-dfsvq]       "OCSP status request": {
[native-api-5bc89d67bc-dfsvq]         "responder_id": <empty>
[native-api-5bc89d67bc-dfsvq]         "request extensions": {
[native-api-5bc89d67bc-dfsvq]           <empty>
[native-api-5bc89d67bc-dfsvq]         }
[native-api-5bc89d67bc-dfsvq]       }
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "supported_groups (10)": {
[native-api-5bc89d67bc-dfsvq]       "versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "ec_point_formats (11)": {
[native-api-5bc89d67bc-dfsvq]       "formats": [uncompressed]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "signature_algorithms (13)": {
[native-api-5bc89d67bc-dfsvq]       "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "signature_algorithms_cert (50)": {
[native-api-5bc89d67bc-dfsvq]       "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "status_request_v2 (17)": {
[native-api-5bc89d67bc-dfsvq]       "cert status request": {
[native-api-5bc89d67bc-dfsvq]         "certificate status type": ocsp_multi
[native-api-5bc89d67bc-dfsvq]         "OCSP status request": {
[native-api-5bc89d67bc-dfsvq]           "responder_id": <empty>
[native-api-5bc89d67bc-dfsvq]           "request extensions": {
[native-api-5bc89d67bc-dfsvq]             <empty>
[native-api-5bc89d67bc-dfsvq]           }
[native-api-5bc89d67bc-dfsvq]         }
[native-api-5bc89d67bc-dfsvq]       }
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "extended_master_secret (23)": {
[native-api-5bc89d67bc-dfsvq]       <empty>
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "supported_versions (43)": {
[native-api-5bc89d67bc-dfsvq]       "versions": [TLSv1.3, TLSv1.2]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "psk_key_exchange_modes (45)": {
[native-api-5bc89d67bc-dfsvq]       "ke_modes": [psk_dhe_ke]
[native-api-5bc89d67bc-dfsvq]     },
[native-api-5bc89d67bc-dfsvq]     "key_share (51)": {
[native-api-5bc89d67bc-dfsvq]       "client_shares": [
[native-api-5bc89d67bc-dfsvq]         {
[native-api-5bc89d67bc-dfsvq]           "named group": ffdhe2048
[native-api-5bc89d67bc-dfsvq]           "key_exchange": {
[native-api-5bc89d67bc-dfsvq]             .....
[native-api-5bc89d67bc-dfsvq]           }
[native-api-5bc89d67bc-dfsvq]         },
[native-api-5bc89d67bc-dfsvq]       ]
[native-api-5bc89d67bc-dfsvq]     }
[native-api-5bc89d67bc-dfsvq]   ]
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.496 UTC|Alert.java:238|Received alert message (
[native-api-5bc89d67bc-dfsvq] "Alert": {
[native-api-5bc89d67bc-dfsvq]   "level"      : "fatal",
[native-api-5bc89d67bc-dfsvq]   "description": "handshake_failure"
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|ERROR|1A|Gax-1|2019-05-15 16:27:19.500 UTC|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
[native-api-5bc89d67bc-dfsvq] "throwable" : {
[native-api-5bc89d67bc-dfsvq]   javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1356)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1331)
[native-api-5bc89d67bc-dfsvq]       at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:242)
[native-api-5bc89d67bc-dfsvq]       at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:113)
[native-api-5bc89d67bc-dfsvq]       at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84)
[native-api-5bc89d67bc-dfsvq]       at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1040)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:399)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:181)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:167)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.Credentials.blockingGetToCallback(Credentials.java:113)
[native-api-5bc89d67bc-dfsvq]       at com.google.auth.Credentials$1.run(Credentials.java:99)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[native-api-5bc89d67bc-dfsvq]       at java.base/java.lang.Thread.run(Thread.java:835)}
[native-api-5bc89d67bc-dfsvq]
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.500 UTC|SSLSocketImpl.java:1389|close the underlying socket
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.500 UTC|SSLSocketImpl.java:1408|close the SSL connection (initiative)

Algunos detalles sobre mi entorno

$ java Ciphers # see https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html
Default Cipher
*   TLS_AES_128_GCM_SHA256
*   TLS_AES_256_GCM_SHA384
*   TLS_CHACHA20_POLY1305_SHA256
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
*   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
*   TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*   TLS_RSA_WITH_AES_128_CBC_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA256
*   TLS_RSA_WITH_AES_128_GCM_SHA256
*   TLS_RSA_WITH_AES_256_CBC_SHA
*   TLS_RSA_WITH_AES_256_CBC_SHA256
*   TLS_RSA_WITH_AES_256_GCM_SHA384

$ java --version
openjdk 12.0.1 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12)
OpenJDK 64-Bit Server VM (build 12.0.1+12, mixed mode)

$ java --list-modules
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Esto es lo que nmap me está diciendo acerca de la API de Google Cloud

$ nmap -sV --script ssl-enum-ciphers -p 443 oauth2.googleapis.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 17:02 BST
Nmap scan report for oauth2.googleapis.com (216.58.198.170)
Host is up (0.0036s latency).
Other addresses for oauth2.googleapis.com (not scanned): 172.217.169.42 172.217.169.74 216.58.210.202 216.58.206.74 216.58.213.106 216.58.206.138 216.58.212.74 216.58.204.42 216.58.211.170 216.58.204.74
rDNS record for 216.58.198.170: lhr25s10-in-f10.1e100.net

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https gws
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
|     Date: Wed, 15 May 2019 16:03:08 GMT
|     Expires: -1
|     Cache-Control: private, max-age=0
|     Content-Type: text/html; charset=ISO-8859-1
|     P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
|     Server: gws
|     X-XSS-Protection: 0
|     X-Frame-Options: SAMEORIGIN
|     Set-Cookie: 1P_JAR=2019-05-15-16; expires=Fri, 14-Jun-2019 16:03:08 GMT; path=/; domain=.google.com
|     Set-Cookie: NID=183=YYh48j3880NJp7Imev2IuA6fbZh2XB92x0D3woXT1l1aOhSgvVdNElia3mL7IBtyYDp7cShGyWcN0qcDkXNqKuA2S0cEpm122vmlrifWE0oeur1eeLovYqpvS4typQhxJMKagpV93VHW6avhd4F_5mGJSjaPgCNzhVFlJEdCGfA; expires=Thu, 14-Nov-2019 16:03:08 GMT; path=/; domain=.google.com; HttpOnly
|     Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
|     Accept-Ranges: none
|     Vary: Accept-Encoding
|     <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Ty
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: GET, HEAD
|     Date: Wed, 15 May 2019 16:03:08 GMT
|     Content-Type: text/html; charset=UTF-8
|     Server: gws
|     Content-Length: 1592
|     X-XSS-Protection: 0
|     X-Frame-Options: SAMEORIGIN
|     Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
|     <!DOCTYPE html>
|     <html lang=en>
|     <meta charset=utf-8>
|     <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
|     <title>Error 405 (Method Not Allowed)!!1</title>
|     <style>
|_    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:n
| http-server-header:
|   ESF
|_  gws
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.70%T=SSL%I=7%D=5/15%Time=5CDC383C%P=x86_64-apple-darwin
SF:17.3.0%r(GetRequest,4BF6,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2015
SF:\x20May\x202019\x2016:03:08\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\
SF:x20private,\x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-
SF:8859-1\r\nP3P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20policy!\x20See\
SF:x20g\.co/p3phelp\x20for\x20more\x20info\.\"\r\nServer:\x20gws\r\nX-XSS-
SF:Protection:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSet-Cookie:\x201P
SF:_JAR=2019-05-15-16;\x20expires=Fri,\x2014-Jun-2019\x2016:03:08\x20GMT;\
SF:x20path=/;\x20domain=\.google\.com\r\nSet-Cookie:\x20NID=183=YYh48j3880
SF:NJp7Imev2IuA6fbZh2XB92x0D3woXT1l1aOhSgvVdNElia3mL7IBtyYDp7cShGyWcN0qcDk
SF:XNqKuA2S0cEpm122vmlrifWE0oeur1eeLovYqpvS4typQhxJMKagpV93VHW6avhd4F_5mGJ
SF:SjaPgCNzhVFlJEdCGfA;\x20expires=Thu,\x2014-Nov-2019\x2016:03:08\x20GMT;
SF:\x20path=/;\x20domain=\.google\.com;\x20HttpOnly\r\nAlt-Svc:\x20quic=\"
SF::443\";\x20ma=2592000;\x20v=\"46,44,43,39\"\r\nAccept-Ranges:\x20none\r
SF:\nVary:\x20Accept-Encoding\r\n\r\n<!doctype\x20html><html\x20itemscope=
SF:\"\"\x20itemtype=\"http://schema\.org/WebPage\"\x20lang=\"en-GB\"><head
SF:><meta\x20content=\"text/html;\x20charset=UTF-8\"\x20http-equiv=\"Conte
SF:nt-Ty")%r(HTTPOptions,742,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed
SF:\r\nAllow:\x20GET,\x20HEAD\r\nDate:\x20Wed,\x2015\x20May\x202019\x2016:
SF:03:08\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nServer:
SF:\x20gws\r\nContent-Length:\x201592\r\nX-XSS-Protection:\x200\r\nX-Frame
SF:-Options:\x20SAMEORIGIN\r\nAlt-Svc:\x20quic=\":443\";\x20ma=2592000;\x2
SF:0v=\"46,44,43,39\"\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=en>\n\x20\x
SF:20<meta\x20charset=utf-8>\n\x20\x20<meta\x20name=viewport\x20content=\"
SF:initial-scale=1,\x20minimum-scale=1,\x20width=device-width\">\n\x20\x20
SF:<title>Error\x20405\x20\(Method\x20Not\x20Allowed\)!!1</title>\n\x20\x2
SF:0<style>\n\x20\x20\x20\x20\*{margin:0;padding:0}html,code{font:15px/22p
SF:x\x20arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
SF:{margin:7%\x20auto\x200;max-width:390px;min-height:180px;padding:30px\x
SF:200\x2015px}\*\x20>\x20body{background:url\(//www\.google\.com/images/e
SF:rrors/robot\.png\)\x20100%\x205px\x20no-repeat;padding-right:205px}p{ma
SF:rgin:11px\x200\x2022px;overflow:hidden}ins{color:#777;text-decoration:n
SF:one}a\x20img{border:0}@media\x20screen\x20and\x20\(max-width:772px\){bo
SF:dy{background:n");

McGin:

La causa era un módulo que falta jdk.crypto.cryptoki

El tiempo de ejecución que estaba usando se genera de este modo:

     jlink \
        --add-modules java.base,java.logging,java.xml,jdk.unsupported,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument,jdk.management,java.net.http \
        --module-path $(find $JAVA_HOME -name lib -type d) \
        --output ~/jre

Fix es simplemente para incluir el jdk.crypto.cryptokimódulo en el JRE tiempo de ejecución. No me queda claro por qué esto es necesario para jdk12 pero no JDK11 (hago lo mismo para ambos)

     jlink \
        --add-modules java.base,java.logging,java.xml,jdk.unsupported,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument,jdk.management,java.net.http,jdk.crypto.cryptoki \
        --module-path $(find $JAVA_HOME -name lib -type d) \
        --output ~/jre