Loading

HTTP 400 Error When Accessing Application Through DLB with mTLS Enabled

Publish Date: May 1, 2026
Description

All consumer requests are failing with an HTTP 400 Bad Request error at the DLB layer when mTLS is enabled. The requests are rejected at the DLB and do not reach the Mule applications.

Resolution

  1. Review DLB logs to determine whether the response originates from the DLB or the Mule application. If the response is generated by the DLB, proceed with the following steps. Else, refer this KB article.

  2. If the DLB is returning an HTTP 400 directly, validate the client certificate used for mTLS authentication with:

        openssl x509 -text -noout -in client_ca.pem -purpose

  1. Inspect the Extended Key Usage section of the certificate and confirm it includes TLS Web Client Authentication. For example:

        X509v3 Extended Key Usage:
          TLS Web Server Authentication

  1. If TLS Web Client Authentication is missing, reissue or update the certificate to include the appropriate client authentication usage.

Additional Resources

Sample DLB log for http 400:

1.2.3.4 - - [date:09:34:45 +0000] "GET /hellomulesoft= HTTP/1.1" 400 180 "-" "GuzzleHttp/7" "-" rt=0.000 uct="-" uht="-" urt="-" ua="-" us="-" proto="TLSv1.2" cipher="DHE-RSA-AES256-GCM-SHA384"

Sample certificate output:

% openssl x509 -text -noout -in cert.pem -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Code signing : No
Code signing CA : No
Knowledge Article Number

005318612

 
Loading
Salesforce Help | Article