You cannot do it. What you are doing without TLS is you are checking which redis backends is in the master role and then only route traffic there. To do this, you are implementing some basic redis dialog with a custom TCP health check.
However, custom TCP health checks don’t support TLS, so this cannot be done.
Do you need to route traffic only to the master instance? In that case, at least for health checks, you need to use a separate non-TLS port for haproxy health checks (of the same redis service).
Or use external health checking.
However this deployment doesn’t make a lot of sense. You can drop stunnel completely and use haproxy instead to warp everything in TLS. Then you won’t have to deal with TLS on the haproxy backend side and can continue to use health check to only route traffic to the master role redis instance.