Redirect SSL connection to new URL before SSL handshake

To be completely clear, this is not a limitation of BIG-IP or of iRules. Since TLS is used to protect the HTTP transaction, the TLS handshake must be completed before any HTTP data are sent (otherwise, that data stream would not be protected by TLS). An HTTP redirect is the result of an HTTP Response message response code. Thus, the order of events in an HTTPS transaction is always:

1. TCP three-way handshake;
2. TLS handshake;
3. Exchange of HTTP messages.

And to expand just a bit on what @stanislas said, the events you cite correspond to the following action:

• RULE_INIT: fires when a rule is reloaded, typically when the BIG-IP configuration is reloaded or the rule is altered and saved. This event is unrelated to connections, so any connection-related commands (e.g., IP::client_addr or HTTP::redirect) cannot be used in this event;
• CLIENT_ACCEPTED: fires when the underlying TCP three-way handshake completes on the client-side of the connection, but in the case of HTTPS, before the TLS handshake begins. Because this event relates solely to the L4 state machine, commands for higher layer protocols (e.g., HTTP::redirect) cannot be used here;
• HTTP_REQUEST: fires after the HTTP headers are received in full on the client-side. In the case of HTTPS, this occurs after the TLS handshake is completed.