It is used for passing the results of the client certificate verification to the mule application. This is performed via the use of special headers. However, the actual mutual TLS connection still occurs between the client and the ingress (based on the ingress TLS Context). See the CloudHub 2.0 docs for more information.