Bufferevent rate-limiting logic handles filtering badly
When we're doing filtering ssl bufferevents, we want the rate-limits to apply to the lowest level of the bufferevent stack, so that we're actually limiting bytes sent on the network. Otherwise, we'll read from the network ad libitum.
Also, we need to set write high-water marks for the lowest-level bufferevents in the filtering stack, or else we might prematurely ssl-ify data faster than we could write it, which would be silly.