According to Secure Transport Result Codes, a SecCopyErrorMessageString() function exists to translate error codes into human-readable strings. This might be used to improve the output of "TLS handshake failed: %d" messages, as is done for OpenSSL.

Note that the function returns null if a string is not available, so that may be a case where the error message should fall back to displaying the original code. If there is prior art for how you handle this with OpenSSL (assuming it also has cases where no message is available), it'd probably be best to follow that here.