Regular SSL/TLS for user connections to the LTM, with SNI support from LTM to the real webservers?

Okay, I figured it out. v11.1 introduces the SERVERSSL_CLIENTHELLO_SEND event and the SSL::extensions command. With these I can arbitrarily add extensions to the SSL negotiation. Here's a rough idea of what it looks like:

when HTTP_REQUEST {
    HTTP::header replace Host "sslapp2.alpha.com"
}
when SERVERSSL_CLIENTHELLO_SEND {
    set hostname "sslapp2.alpha.com"
    set bin [binary format S1S1S1S1ca* 0 [expr [string length $hostname] + 5] [expr [string length $hostname] + 3] 0 [string length $hostname] $hostname]
    SSL::extensions insert $bin
}

For this to work you absolutely have to set the HTTP Host header the same as the server name value you're inserting into the SNI extension. How you derive that server name in the first place is another issue (perhaps an LDAP lookup of the load balanced host or a static datagroup IP->hostname mapping?)

You'll also need to set Strict Resume in your server SSL profile for this to work.

Just to explain the binary portion:

[binary format S1S1S1S1ca* - binary formatting a string that contains 4x16bit values, 1x8bit value, and a text string

0 - static value indicating the extension type (server_name - see http://tools.ietf.org/html/rfc6066)

[expr [string length $hostname] + 5] - a (total) length indicator that is always 5 bytes longer than the text string length

[expr [string length $hostname] + 3] - a (list) length indicator that is always 3 bytes longer than the text string length

0 - static value indicating the server name type (host_name)

[string length $hostname] - the length of the server name text string

$hostname] - the server name text string

Hope this helps.