use doSSL on correct host header

A few things,

• The SERVER_CONNECTED event is a server-side event that is triggered after the server-side TCP handshake, and long after the client-side handshake has completed. At this stage in the proxy path, the SSL::profile command would only have access to the server SSL profile.

   

• I'm guessing you mean to change the certificate to the client (not the server), in which case the HTTP_REQUEST event is also too late. By the time you get to this event, you've already completed the SSL handshake. You therefore cannot make client-side SSL profile changes based on HTTP Host header values.

   

• Fortunately, modern browsers support the TLS "Server Name Indication" (SNI) extension, so when you navigate to an HTTPS site, the hostname in the browser URL is inserted into the TLS SNI handshake request from the client. BIG-IP can switch between client SSL profiles based on this SNI value. You'd create a separate SSL profile, one for each server certificate. And in each profile you'd enter a Server Name value that matches the desired hostname (the CN and/or SAN value of the certificate). And then add all of these client SSL profiles to the VIP. The VIP will then automatically select the correct profile, and correct certificate based on the client's SNI. No iRules required.