diff --git a/.github/workflows/run_cts_tests.yaml b/.github/workflows/run_cts_tests.yaml
index c6f86e1ba..e7849196a 100644
--- a/.github/workflows/run_cts_tests.yaml
+++ b/.github/workflows/run_cts_tests.yaml
@@ -37,12 +37,12 @@ jobs:
         if: matrix.network_type == 'ipv4'
         run: |
           server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ldap)
-          sed -i "s|^[#[:space:]]*auth.ldap.servers[[:space:]]*=.*|auth.ldap.servers = \"$server_address|g\"" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
+          sed -i "s|^[#[:space:]]*auth.ldap.servers[[:space:]]*=.*|auth.ldap.servers = \"$server_address\"|g" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
       - name: setup
         if: matrix.network_type == 'ipv6'
         run: |
           server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' ldap)
-          sed -i "s|^[#[:space:]]*auth.ldap.servers[[:space:]]*=.*|auth.ldap.servers = \"$server_address|g\"" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
+          sed -i "s|^[#[:space:]]*auth.ldap.servers[[:space:]]*=.*|auth.ldap.servers = \"$server_address\"|g" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
       - name: run test cases
         run: |
           docker exec -i erlang sh -c "make ensure-rebar3"
@@ -203,7 +203,7 @@ jobs:
           sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
           sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
           sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          sed -i 's|^[#[:space:]]*auth.pgsql.ssl[ \t]*=.*|auth.pgsql.ssl = on|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+          sed -i 's|^[#[:space:]]*auth.pgsql.ssl.enable[ \t]*=.*|auth.pgsql.ssl.enable = on|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
           sed -i 's|^[#[:space:]]*auth.pgsql.cacertfile[ \t]*=.*|auth.pgsql.cacertfile = /emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/root.crt|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
       - name: setup
         env:
@@ -263,7 +263,7 @@ jobs:
         run: |
           set -exu
           docker-compose -f .ci/compatibility_tests/docker-compose-redis-${{ matrix.node_type }}-tls.yaml up -d
-          sed -i 's|^[#[:space:]]*auth.redis.ssl[[:space:]]*=.*|auth.redis.ssl.enable = on|g' apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          sed -i 's|^[#[:space:]]*auth.redis.ssl.enable[[:space:]]*=.*|auth.redis.ssl.enable = on|g' apps/emqx_auth_redis/etc/emqx_auth_redis.conf
           sed -i 's|^[#[:space:]]*auth.redis.ssl.cacertfile[[:space:]]*=.*|auth.redis.ssl.cacertfile = "/emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/ca.crt"|g' apps/emqx_auth_redis/etc/emqx_auth_redis.conf
           sed -i 's|^[#[:space:]]*auth.redis.ssl.certfile[[:space:]]*=.*|auth.redis.ssl.certfile = "/emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.crt"|g' apps/emqx_auth_redis/etc/emqx_auth_redis.conf
           sed -i 's|^[#[:space:]]*auth.redis.ssl.keyfile[[:space:]]*=.*|auth.redis.ssl.keyfile = "/emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.key"|g' apps/emqx_auth_redis/etc/emqx_auth_redis.conf
diff --git a/apps/emqx_auth_http/etc/emqx_auth_http.conf b/apps/emqx_auth_http/etc/emqx_auth_http.conf
index 1ee90e982..b2f6c4280 100644
--- a/apps/emqx_auth_http/etc/emqx_auth_http.conf
+++ b/apps/emqx_auth_http/etc/emqx_auth_http.conf
@@ -18,7 +18,7 @@ auth.http.auth_req.method = post
 ## The possible values of the Content-Type header: application/x-www-form-urlencoded, application/json
 ## 
 ## Examples: auth.http.auth_req.headers.accept = */*
-auth.http.auth_req.headers.content-type = application/x-www-form-urlencoded
+auth.http.auth_req.headers.content-type = "application/x-www-form-urlencoded"
 
 ## Parameters used to construct the request body or query string parameters
 ## When the request method is GET, these parameters will be converted into query string parameters
@@ -53,7 +53,7 @@ auth.http.super_req.method = post
 ## The possible values of the Content-Type header: application/x-www-form-urlencoded, application/json
 ##
 ## Examples: auth.http.super_req.headers.accept = */*
-auth.http.super_req.headers.content-type = application/x-www-form-urlencoded
+auth.http.super_req.headers.content-type = "application/x-www-form-urlencoded"
 
 ## Parameters used to construct the request body or query string parameters
 ## When the request method is GET, these parameters will be converted into query string parameters
@@ -88,7 +88,7 @@ auth.http.acl_req.method = post
 ## The possible values of the Content-Type header: application/x-www-form-urlencoded, application/json
 ##
 ## Examples: auth.http.acl_req.headers.accept = */*
-auth.http.acl_req.headers.content-type = application/x-www-form-urlencoded
+auth.http.acl_req.headers.content-type = "application/x-www-form-urlencoded"
 
 ## Parameters used to construct the request body or query string parameters
 ## When the request method is GET, these parameters will be converted into query string parameters
diff --git a/apps/emqx_auth_pgsql/README.md b/apps/emqx_auth_pgsql/README.md
index 2dccd6f53..a8f5d723f 100644
--- a/apps/emqx_auth_pgsql/README.md
+++ b/apps/emqx_auth_pgsql/README.md
@@ -49,7 +49,7 @@ auth.pgsql.encoding = utf8
 ## Whether to enable SSL connection.
 ##
 ## Value: true | false
-auth.pgsql.ssl = false
+auth.pgsql.ssl.enable = false
 
 ## SSL keyfile.
 ##
diff --git a/apps/emqx_auth_redis/etc/emqx_auth_redis.conf b/apps/emqx_auth_redis/etc/emqx_auth_redis.conf
index f2a17165e..5acb75ca1 100644
--- a/apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+++ b/apps/emqx_auth_redis/etc/emqx_auth_redis.conf
@@ -103,7 +103,7 @@ auth.redis.acl_cmd = "HGETALL mqtt_acl:%u"
 ## CA certificate.
 ##
 ## Value: File
-# auth.redis.ssl.cacertfile = path/to/your/cafile.pem
+#auth.redis.ssl.cacertfile = path/to/your/cafile.pem
 
 ## Client ssl certificate.
 ##
diff --git a/etc/emqx.conf b/etc/emqx.conf
index 06539c141..4909c1221 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1717,7 +1717,7 @@ listener.ws.external.allow_origin_absence = true
 ## Comma separated list of allowed origin in header for websocket connection
 ##
 ## Value: http://url eg. local http dashboard url - http://localhost:18083, http://127.0.0.1:18083
-listener.ws.external.check_origins = http://localhost:18083, http://127.0.0.1:18083
+listener.ws.external.check_origins = "http://localhost:18083, http://127.0.0.1:18083"
 
 ##--------------------------------------------------------------------
 ## External WebSocket/SSL listener for MQTT Protocol
@@ -2010,7 +2010,7 @@ listener.wss.external.allow_origin_absence = true
 ## Comma separated list of allowed origin in header for secure websocket connection
 ##
 ## Value: http://url eg. https://localhost:8084, https://127.0.0.1:8084
-listener.wss.external.check_origins = https://localhost:8084, https://127.0.0.1:8084
+listener.wss.external.check_origins = "https://localhost:8084, https://127.0.0.1:8084"
 
 ##--------------------------------------------------------------------
 ## Modules