fix: Move TLS version tagging to after connection establishment and add error handling

Author: hangy

src/AlbusKavaliro.TraceableLdapClient/TraceableLdapConnection.cs

@@ -556,12 +556,6 @@ private void SetNetworkTags(Activity activity)
 
             activity.SetTag(OtelTags.ConnectionType, isLdaps ? "ldaps" : isEncrypted ? "starttls" : "plain");
             activity.SetTag(OtelTags.ConnectionEncrypted, isEncrypted);
-
-            // Add TLS version if available and encrypted
-            if (isEncrypted && SessionOptions.SslInformation?.Protocol != null)
-            {
-                activity.SetTag(OtelTags.TlsVersion, SessionOptions.SslInformation.Protocol.ToString());
-            }
         }
     }
 
@@ -626,6 +620,19 @@ private void SetResponseAttributes(Activity? activity, DirectoryResponse respons
             activity.SetTag(OtelTags.Referrals, string.Join(',', response.Referral.Select(u => u.ToString())));
         }
 
+        // Add TLS version if available and encrypted (now that connection is established)
+        try
+        {
+            if (SessionOptions.SslInformation?.Protocol != null)
+            {
+                activity.SetTag(OtelTags.TlsVersion, SessionOptions.SslInformation.Protocol.ToString());
+            }
+        }
+        catch (Exception)
+        {
+            // Ignore errors when accessing SSL information
+        }
+
         SetResponseSpecificAttributes(activity, response);
     }