SSL is becoming so ubiquitous, and yet is so tricky to implement, that
it might be nice to have easy procedures to make SSL connections in
addition to ordinary unencrypted TCP connections. So the connection is
just an encrypted pipe, and you supply the application-layer protocol
that runs above it. The simplest implementation would be just to run
OpenSSL as a subprocess. This is an easy way to e.g. turn a pure-Scheme
HTTP client into a HTTPS client, leaving most of the security and
certificate considerations to others.
One crucial requirement for such an API is to provide a way to do server certificate verification, or to specify how it should be done by the underlying software. Clients that don't check servers' certificates are surprisingly common, and put their users at risk. I encountered another such unfixed project just yesterday.
Another requirement is to allow control of exactly what crypto algorithms and TLS/SSL versions will be accepted. There are well-known vulnerabilities in earlier versions, and it's important that users who want to can avoid accepting connections using those versions.
Ideally, the API should support sending client certificates.
Despite the general recommendation against implementing one's own crypto, there are some examples of what appear to be excellent new implementations in other languages, e.g.
Ocaml-TLS. Perhaps someone will make an attempt at an implementation in Scheme. I'd certainly be willing to entertain the possibility that it would be better than one written in C.