diff --git a/apps/emqx_web_hook/src/emqx_web_hook_actions.erl b/apps/emqx_web_hook/src/emqx_web_hook_actions.erl
index bfbc89daa..a848350d3 100644
--- a/apps/emqx_web_hook/src/emqx_web_hook_actions.erl
+++ b/apps/emqx_web_hook/src/emqx_web_hook_actions.erl
@@ -365,49 +365,14 @@ pool_name(ResId) ->
 
 get_ssl_options(Config, ResId, <<"https://", _URL/binary>>) ->
     [{transport, ssl},
-     {transport_opts, get_ssl_opts(Config, ResId)},
-     {versions, emqx_tls_lib:default_versions()},
-     {ciphers, emqx_tls_lib:default_ciphers()}
+     {transport_opts, get_ssl_opts(Config, ResId)}
     ];
 get_ssl_options(_Config, _ResId, _URL) ->
     [].
 
 get_ssl_opts(Opts, ResId) ->
-    KeyFile = maps:get(<<"keyfile">>, Opts, undefined),
-    CertFile = maps:get(<<"certfile">>, Opts, undefined),
-    CAFile = maps:get(<<"cacertfile">>, Opts, undefined),
-    Filter = fun(Opts1) ->
-                     [{K, V} || {K, V} <- Opts1,
-                                    V =/= undefined,
-                                    V =/= <<>>,
-                                    V =/= "" ]
-             end,
-    Key = save_upload_file(KeyFile, ResId),
-    Cert = save_upload_file(CertFile, ResId),
-    CA = save_upload_file(CAFile, ResId),
-    Verify = case maps:get(<<"verify">>, Opts, false) of
-        false -> verify_none;
-        true -> verify_peer
-    end,
-    case Filter([{keyfile, Key}, {certfile, Cert}, {cacertfile, CA}]) of
-        [] -> [{verify, Verify}];
-        SslOpts ->
-            [{verify, Verify} | SslOpts]
-    end.
-
-save_upload_file(#{<<"file">> := <<>>, <<"filename">> := <<>>}, _ResId) -> "";
-save_upload_file(FilePath, _) when is_binary(FilePath) -> binary_to_list(FilePath);
-save_upload_file(#{<<"file">> := File, <<"filename">> := FileName}, ResId) ->
-     FullFilename = filename:join([emqx:get_env(data_dir), rules, ResId, FileName]),
-     ok = filelib:ensure_dir(FullFilename),
-     case file:write_file(FullFilename, File) of
-          ok ->
-               binary_to_list(FullFilename);
-          {error, Reason} ->
-               logger:error("Store file failed, ResId: ~p, ~0p", [ResId, Reason]),
-               error({ResId, store_file_fail})
-     end;
-save_upload_file(_, _) -> "".
+    Dir = filename:join([emqx:get_env(data_dir), "rule", ResId]),
+    [{ssl, true}, {ssl_opts, emqx_plugin_libs_ssl:save_files_return_opts(Opts, Dir)}].
 
 parse_host(Host) ->
     case inet:parse_address(Host) of
diff --git a/rebar.config.erl b/rebar.config.erl
index d216e8464..95d79b188 100644
--- a/rebar.config.erl
+++ b/rebar.config.erl
@@ -148,6 +148,7 @@ relx_apps(ReleaseType) ->
     , emqx
     , {mnesia, load}
     , {ekka, load}
+    , {emqx_plugin_libs, load}
     ]
     ++ [bcrypt || provide_bcrypt_release(ReleaseType)]
     ++ relx_apps_per_rel(ReleaseType)
diff --git a/src/emqx_tls_lib.erl b/src/emqx_tls_lib.erl
index 74b6719ee..024de699e 100644
--- a/src/emqx_tls_lib.erl
+++ b/src/emqx_tls_lib.erl
@@ -23,7 +23,9 @@
         , integral_ciphers/2
         ]).
 
+%% non-empty string
 -define(IS_STRING(L), (is_list(L) andalso L =/= [] andalso is_integer(hd(L)))).
+%% non-empty list of strings
 -define(IS_STRING_LIST(L), (is_list(L) andalso L =/= [] andalso ?IS_STRING(hd(L)))).
 
 %% @doc Returns the default supported tls versions.
@@ -35,7 +37,8 @@ default_versions() ->
 %% @doc Validate a given list of desired tls versions.
 %% raise an error exception if non of them are available.
 %% The input list can be a string/binary of comma separated versions.
--spec integral_versions(undefined | string() | binary() | [ssl:tls_version()]) -> [ssl:tls_version()].
+-spec integral_versions(undefined | string() | binary() | [ssl:tls_version()]) ->
+        [ssl:tls_version()].
 integral_versions(undefined) ->
     integral_versions(default_versions());
 integral_versions([]) ->