In the "first step of certification validation " , we are saying that the TLS handshake is terminated even if the configuration allows invalid or missing client certificates. But the same configuration mode content in the "MTLS client validation modes" section  says that the connection is allowed even if the certificate chain validation of the client certificate failed or no client certificate was presented.

First step of the client certification validation

https://cloud.google.com/load-balancing/docs/mtls#validation-steps

If this step fails, the load balancer always fails the TLS handshake, even if your configuration allows invalid or missing client certificates, and no information is logged for global external Application Load Balancers, but a TLS error is logged in the proxyStatus field for regional external Application Load Balancers and internal Application Load Balancers.

MTLS client validation modes section

https://cloud.google.com/load-balancing/docs/mtls#mtls_errors

ALLOW_INVALID_OR_MISSING_CLIENT_CERT allows the connection from the client even if certificate chain validation of the client certificate failed or no client certificate was presented. The proof of possession of the private key is always checked when the client certificate is presented.

----

So in https://cloud.google.com/load-balancing/docs/mtls#validation-steps, it says:

> If this step fails, the load balancer always fails the TLS handshake, even if your configuration allows invalid or missing client certificates...

But then the latter seems to be at odds with the description of `ALLOW_INVALID_OR_MISSING_CLIENT_CERT`, which says that:

allows the connection from the client even if certificate chain validation of the client certificate failed or no client certificate was presented.