Generally, the right way to do StartTLS is to offer a separate set of commands before and after TLS negotiation. Take IMAP, for example (setting aside the issues associated with support of RFC2060 clients). before TLS is established, CAPABILITY should advertise only a limited number of commands including CAPABILITY and STARTTLS. Once TLS has been established, CAPABILITY should advertise a full set. So, correct StartTLS support requires work at the protocol level in conjunction with the handler and socket frameworks.
This issue is more about hardening an installation. It covers configuring and controlling the appropriate general behaviour when potential security issues occur. Protocols are going to need to be changed to add correct StartTLS support and then hook into appropriate points in the general security framework. But I think it would be better to attempt to use a common set of security services than to duplicate code.