diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
index 1259bd263..26fd34365 100644
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
@@ -18,6 +18,7 @@
 
 -include_lib("emqx/include/emqx.hrl").
 -include_lib("emqx/include/logger.hrl").
+-include_lib("snabbkaffe/include/snabbkaffe.hrl").
 
 -logger_header("[JWT]").
 
@@ -70,7 +71,10 @@ check_acl(ClientInfo = #{jwt_claims := Claims},
         _ ->
             ?DEBUG("no_acl_jwt_claim", []),
             ignore
-    end.
+    end;
+check_acl(_ClientInfo, _PubSub, _Topic, _NoMatchAction, _Env) ->
+    ?tp(debug, no_jwt_claim, #{}),
+    ignore.
 
 is_expired(Exp) when is_binary(Exp)  ->
     case string_to_number(Exp) of
diff --git a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
index 7da708b13..a0be3768f 100644
--- a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
+++ b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
@@ -31,7 +31,8 @@ init_per_testcase(TestCase, Config) ->
     emqx_ct_helpers:start_apps([emqx_auth_jwt], fun set_special_configs/1),
     Config.
 
-end_per_testcase(_Case, _Config) ->
+end_per_testcase(TestCase, Config) ->
+    try ?MODULE:TestCase('end', Config) catch _:_ -> ok end,
     emqx_ct_helpers:stop_apps([emqx_auth_jwt]).
 
 set_special_configs(emqx) ->
@@ -377,6 +378,44 @@ t_check_jwt_acl_no_acl_claim(_Config) ->
 
     ok = emqtt:disconnect(C).
 
+t_check_jwt_acl_no_jwt_claims_helper(_ClientInfo, _LastAuthResult) ->
+    {stop, #{auth_result => success, anonymous => false}}.
+t_check_jwt_acl_no_jwt_claims(init, _Config) ->
+    ok;
+t_check_jwt_acl_no_jwt_claims('end', _Config) ->
+    ok = emqx_hooks:del(
+            'client.authenticate',
+            {?MODULE, t_check_jwt_acl_no_jwt_claims_helper, []}
+          ).
+t_check_jwt_acl_no_jwt_claims(_Config) ->
+    %% bypass the jwt authentication checking
+    ok = emqx_hooks:add(
+            'client.authenticate',
+            {?MODULE, t_check_jwt_acl_no_jwt_claims_helper, []},
+            _Priority = 99999
+          ),
+
+    {ok, C} = emqtt:start_link(
+                [{clean_start, true},
+                 {proto_ver, v5},
+                 {client_id, <<"client1">>},
+                 {username, <<"client1">>},
+                 {password, <<"password">>}]),
+    {ok, _} = emqtt:connect(C),
+
+    ok = snabbkaffe:start_trace(),
+
+    ?assertMatch(
+       {ok, #{}, [?RC_NOT_AUTHORIZED]},
+       emqtt:subscribe(C, <<"a/b">>, 0)),
+
+    {ok, _} = ?block_until(#{?snk_kind := no_jwt_claim}, 1000),
+    Trace = snabbkaffe:collect_trace(),
+    ?assertEqual(1, length(?of_kind(no_jwt_claim, Trace))),
+
+    snabbkaffe:stop(),
+    ok = emqtt:disconnect(C).
+
 t_check_jwt_acl_expire(init, _Config) ->
     application:set_env(emqx_auth_jwt, verify_claims, [{sub, <<"value">>}]).
 t_check_jwt_acl_expire(_Config) ->
diff --git a/apps/emqx_management/src/emqx_mgmt.erl b/apps/emqx_management/src/emqx_mgmt.erl
index 948088f8e..c5062d477 100644
--- a/apps/emqx_management/src/emqx_mgmt.erl
+++ b/apps/emqx_management/src/emqx_mgmt.erl
@@ -458,7 +458,7 @@ list_listeners(Node) when Node =:= node() ->
     end, esockd:listeners()),
     Http = lists:map(fun({Protocol, Opts}) ->
         #{protocol        => Protocol,
-          listen_on       => proplists:get_value(port, Opts),
+          listen_on       => format_http_bind(Opts),
           acceptors       => maps:get( num_acceptors
                                      , proplists:get_value(transport_options, Opts, #{}), 0),
           max_conns       => proplists:get_value(max_connections, Opts),
@@ -528,7 +528,7 @@ delete_banned(Who) ->
 
 
 %%--------------------------------------------------------------------
-%% Telemtry API
+%% Telemetry API
 %%--------------------------------------------------------------------
 
 -ifndef(EMQX_ENTERPRISE).
@@ -570,7 +570,7 @@ item(route, {Topic, Node}) ->
     #{topic => Topic, node => Node}.
 
 %%--------------------------------------------------------------------
-%% Internel Functions.
+%% Internal Functions.
 %%--------------------------------------------------------------------
 
 rpc_call(Node, Fun, Args) ->
@@ -603,3 +603,10 @@ max_row_limit() ->
     application:get_env(?APP, max_row_limit, ?MAX_ROW_LIMIT).
 
 table_size(Tab) -> ets:info(Tab, size).
+
+format_http_bind(Opts) ->
+    Port = proplists:get_value(port, Opts),
+    case proplists:get_value(ip, Opts) of
+        undefined -> Port;
+        IP -> {IP, Port}
+    end.
diff --git a/include/emqx_release.hrl b/include/emqx_release.hrl
index ce07c1cdb..b51281a54 100644
--- a/include/emqx_release.hrl
+++ b/include/emqx_release.hrl
@@ -29,7 +29,7 @@
 
 -ifndef(EMQX_ENTERPRISE).
 
--define(EMQX_RELEASE, {opensource, "4.3.20-alpha.1"}).
+-define(EMQX_RELEASE, {opensource, "4.3.20-alpha.2"}).
 
 -else.
 
diff --git a/scripts/relup-base-packages.sh b/scripts/relup-base-packages.sh
index 01d2fa96b..b45e72cc3 100755
--- a/scripts/relup-base-packages.sh
+++ b/scripts/relup-base-packages.sh
@@ -57,15 +57,17 @@ for tag in $(../scripts/relup-base-vsns.sh $EDITION | xargs echo -n); do
     filename="$PROFILE-$SYSTEM-${tag#[e|v]}-$ARCH.zip"
     url="https://packages.emqx.io/$DIR/$tag/$filename"
     echo "downloading base package from ${url} ..."
-    if [ ! -f "$filename" ] && curl -L -I -m 10 -o /dev/null -s -w "%{http_code}" "${url}" | grep -q -oE "^[23]+" ; then
-        curl -L -o "${filename}" "${url}"
-        if [ "$SYSTEM" != "centos6" ]; then
-            curl -L -o "${filename}.sha256" "${url}.sha256"
-            SUMSTR=$(cat "${filename}.sha256")
-            echo "got sha265sum: ${SUMSTR}"
-            ## https://askubuntu.com/questions/1202208/checking-sha256-checksum
-            echo "${SUMSTR}  ${filename}" | $SHASUM -c || exit 1
-        fi
+    if [ -f "$filename" ]; then
+        echo "file $filename already downloaded; skikpped"
+        continue
+    fi
+    curl -L -o "${filename}" "${url}"
+    if [ "$SYSTEM" != "centos6" ]; then
+        curl -L -o "${filename}.sha256" "${url}.sha256"
+        SUMSTR=$(cat "${filename}.sha256")
+        echo "got sha265sum: ${SUMSTR}"
+        ## https://askubuntu.com/questions/1202208/checking-sha256-checksum
+        echo "${SUMSTR}  ${filename}" | $SHASUM -c || exit 1
     fi
 done
 
diff --git a/scripts/relup-base-vsns.sh b/scripts/relup-base-vsns.sh
index 8f391b01b..8e1ff4b78 100755
--- a/scripts/relup-base-vsns.sh
+++ b/scripts/relup-base-vsns.sh
@@ -58,7 +58,13 @@ case "${EDITION}" in
         ;;
 esac
 
+SYSTEM="${SYSTEM:-$(./scripts/get-distro.sh)}"
+
 while read -r git_tag; do
+    if [ "$SYSTEM" = 'centos8' ] && [ "$git_tag" = 'v4.3.13' ]; then
+        # This version for centos8 was broken and deleted from archive
+        continue
+    fi
     # shellcheck disable=SC2207
     semver=($(parse_semver "$git_tag"))
     if [ "${#semver[@]}" -eq 3 ] && [ "${semver[2]}" -le "${CUR_SEMVER[2]}" ]; then