if TLS is optional Spark will use TLS. So I wonder if your proxy does change something within the TCP packet that makes the TLS negotiation fail, I don’'t have a detailed knowledge of the SSL/TLS specifications so I can just guess that this is the case.
I run Pen as a simple TCP load balancer in front of two connection managers without problems, so you could try to use it as a TCP proxy for Wildfire and see if this still fails.