The big issue is to make sure that all stream tags are paired with /stream tags if you're editing the script. Fundamentally, when the client first connects and sends the stream tag, I ignore the data they send and reply with a request for TLS. When I see them connect with the starttls command, I ignore their data and start SSL handshaking. All future data is handed to the pool doing processing. This isn't the most robust solution, but it's seemed to work with clients.
I'd do a packet capture from both client and real server to see what is actually being sent and received by each end.
Regards,
Rick