Because typically a trojan server is to be assumed to be an HTTPS server, the listening socket is always a TLS socket.
After performing TLS handshake, if the trojan server decides that the traffic is “other protocols”, it opens a tunnel between a preset endpoint (by default it is 127.0.0.1:80, the local HTTP server) to the client so the preset endpoint takes the control of the decrypted TLS traffic.