My wacky goal was to try to do this transparently on the wire, with the BlueSCSI intercepting TCP packets of plaintext to remote IPs on port 443, then do TLS and send out encrypted traffic, read the reply, decrypt it, and send back plaintext on the wire to the Mac. This way applications on the Mac wouldn't need to know anything about TLS, they could just connect to things on port 443 and get plaintext.
But this was too difficult to do because the plain/cipher packets wouldn't match up one-to-one, so I'd have to answer the Mac's TCP connection and buffer data, then create my own outbound TCP connection to the server with hand-crafted TCP packets built using the Mac's IP (since the Pico doesn't have its own stack/IP), and shuffle data between both TCP conections. That meant adding a TCP state machine, trying to find/maintain the current time (needed for x509 validation), etc.