StartTLS over LDAP fails with ECONNRESET on Node 22 using ldap-authentication@3.3.4 (OpenSSL 3). openssl s_client -starttls ldap succeeds

[wesley3295]

Environment
Node: 22.x
ldap-authentication: 3.3.4
ldapts: 7.4.0
OS: Windows
Network: behind VPN
LDAP server: 389 Directory Server (self-signed cert, CN)
Certificate: self-signed (CN: <CERT_CN>)
Mode: StartTLS on port 389

Server/Certs
Using StartTLS on port 389
SNI used (servername: <CERT_CN>)
openssl s_client StartTLS succeeds (see below)

Minimal Reproduction (ldap-authentication)

import { authenticate } from 'ldap-authentication';

const options = {
  ldapOpts: {
    url: 'ldap://<HOST>:389',
    tlsOptions: {
      servername: '<CERT_CN>',
      rejectUnauthorized: false,
      minVersion: 'TLSv1.2',
    },
    connectTimeout: 50000,
  },
  starttls: true,
  adminDn: '<ADMIN_DN>',
  adminPassword: '<ADMIN_PASSWORD>',
  userSearchBase: '<USER_SEARCH_BASE>',       
  usernameAttribute: '<USERNAME_ATTR>',       
  username: '<TEST_USER>',
};

try {
  console.log('Attempting authenticate() with StartTLS…');
  const user = await authenticate(options);
  console.log('SUCCESS:', !!user);
} catch (err) {
  console.error('FAILED:', {
    name: err?.name,
    message: err?.message,
    code: err?.code,
  });
}

authenticate(options) fails immediately after the StartTLS upgrade with:
Error: Client network socket disconnected before secure TLS connection was established
Code: ECONNRESET

Expected Result
StartTLS handshake completes; subsequent bind/search succeed (as validated with OpenSSL).