diff --git a/apps/emqx_retainer/src/emqx_retainer.app.src b/apps/emqx_retainer/src/emqx_retainer.app.src
index 5f206a155..40cdcd11d 100644
--- a/apps/emqx_retainer/src/emqx_retainer.app.src
+++ b/apps/emqx_retainer/src/emqx_retainer.app.src
@@ -1,6 +1,6 @@
 {application, emqx_retainer,
  [{description, "EMQX Retainer"},
-  {vsn, "4.4.6"}, % strict semver, bump manually!
+  {vsn, "4.4.7"}, % strict semver, bump manually!
   {modules, []},
   {registered, [emqx_retainer_sup]},
   {applications, [kernel,stdlib]},
diff --git a/apps/emqx_retainer/src/emqx_retainer.appup.src b/apps/emqx_retainer/src/emqx_retainer.appup.src
index d944426a3..a41678b21 100644
--- a/apps/emqx_retainer/src/emqx_retainer.appup.src
+++ b/apps/emqx_retainer/src/emqx_retainer.appup.src
@@ -1,8 +1,7 @@
 %% -*- mode: erlang -*-
 %% Unless you know what you are doing, DO NOT edit manually!!
 {VSN,
-  [{"4.4.6",[{load_module,emqx_retainer,brutal_purge,soft_purge,[]}]},
-   {<<"4\\.4\\.[1-5]">>,
+  [{<<"4\\.4\\.[1-6]">>,
     [{load_module,emqx_retainer_sup,brutal_purge,soft_purge,[]},
      {apply,{emqx_retainer_sup,ensure_worker_pool_started,[]}},
      {load_module,emqx_retainer,brutal_purge,soft_purge,[]}]},
@@ -12,8 +11,7 @@
      {load_module,emqx_retainer,brutal_purge,soft_purge,[]},
      {load_module,emqx_retainer_cli,brutal_purge,soft_purge,[]}]},
    {<<".*">>,[]}],
-  [{"4.4.6",[{load_module,emqx_retainer,brutal_purge,soft_purge,[]}]},
-   {<<"4\\.4\\.[1-5]">>,
+  [{<<"4\\.4\\.[1-6]">>,
     [{load_module,emqx_retainer_sup,brutal_purge,soft_purge,[]},
      {load_module,emqx_retainer,brutal_purge,soft_purge,[]}]},
    {"4.4.0",
diff --git a/apps/emqx_retainer/src/emqx_retainer_sup.erl b/apps/emqx_retainer/src/emqx_retainer_sup.erl
index 02ced41ef..97f56140c 100644
--- a/apps/emqx_retainer/src/emqx_retainer_sup.erl
+++ b/apps/emqx_retainer/src/emqx_retainer_sup.erl
@@ -32,7 +32,12 @@ start_link(Env) ->
 
 ensure_worker_pool_started() ->
     try
-        supervisor:start_child(?MODULE, worker_pool_spec())
+        case is_managed_by_modules() of
+            true ->
+                supervisor:start_child(emqx_modules_sup, worker_pool_spec());
+            false ->
+                supervisor:start_child(?MODULE, worker_pool_spec())
+        end
     catch
         _:_ -> ignore
     end.
diff --git a/etc/emqx.conf b/etc/emqx.conf
index f3d91a4bb..84d0864ee 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -2611,7 +2611,7 @@ broker.route_batch_clean = off
 ## are mostly published to topics with large number of levels.
 ##
 ## NOTE: This is a cluster-wide configuration.
-## It rquires all nodes to be stopped before changing it.
+## It requires all nodes to be stopped before changing it.
 ##
 ## Value: Enum
 ##  - true: enable trie path compaction
diff --git a/scripts/get-dashboard.sh b/scripts/get-dashboard.sh
index 632fed25c..0ba0d82ec 100755
--- a/scripts/get-dashboard.sh
+++ b/scripts/get-dashboard.sh
@@ -14,7 +14,7 @@ case "${PKG_VSN}" in
     4.4*)
         # keep the above 4.3 untouched, otherwise conflicts!
         EMQX_CE_DASHBOARD_VERSION='v4.4.11'
-        EMQX_EE_DASHBOARD_VERSION='v4.4.24'
+        EMQX_EE_DASHBOARD_VERSION='v4.4.26'
         ;;
     *)
         echo "Unsupported version $PKG_VSN" >&2
@@ -49,6 +49,7 @@ if [ -d "$DASHBOARD_PATH/www" ] && [ "$(version)" = "$VERSION" ]; then
     exit 0
 fi
 
+echo "Downloading dashboard from $DIRECT_DOWNLOAD_URL"
 curl -L --silent --show-error \
      --header "Accept: application/octet-stream" \
      --output "${RELEASE_ASSET_FILE}" \
diff --git a/src/emqx_hooks.erl b/src/emqx_hooks.erl
index c7ec23fcf..aaf92a44a 100644
--- a/src/emqx_hooks.erl
+++ b/src/emqx_hooks.erl
@@ -21,6 +21,9 @@
 -include("logger.hrl").
 -include("types.hrl").
 
+-include_lib("snabbkaffe/include/snabbkaffe.hrl").
+
+
 -ifdef(TEST).
 -include_lib("eunit/include/eunit.hrl").
 -endif.
@@ -285,6 +288,7 @@ handle_cast({del, HookPoint, Action}, State) ->
         Callbacks ->
             ok = insert_hook(HookPoint, Callbacks)
     end,
+    ?tp(debug, emqx_hook_removed, #{hookpoint => HookPoint, action => Action}),
     {noreply, State};
 
 handle_cast(Msg, State) ->
diff --git a/src/emqx_listeners.erl b/src/emqx_listeners.erl
index baa840d04..13be71cf3 100644
--- a/src/emqx_listeners.erl
+++ b/src/emqx_listeners.erl
@@ -140,7 +140,8 @@ start_listener(Proto, ListenOn, Options0) when Proto == ssl; Proto == tls ->
     Options1 = proplists:delete(listener_id, Options0),
     Options2 = emqx_ocsp_cache:inject_sni_fun(ListenerID, Options1),
     Options3 = emqx_tls_lib:inject_root_fun(Options2),
-    Options = emqx_tls_lib:inject_verify_fun(Options3),
+    Options4 = emqx_tls_lib:inject_verify_fun(Options3),
+    Options = emqx_tls_lib:maybe_drop_incompatible_options(Options4),
     ok = maybe_register_crl_urls(Options),
     start_mqtt_listener('mqtt:ssl', ListenOn, Options);
 
diff --git a/src/emqx_tls_lib.erl b/src/emqx_tls_lib.erl
index 6aca651f5..2e330992a 100644
--- a/src/emqx_tls_lib.erl
+++ b/src/emqx_tls_lib.erl
@@ -26,6 +26,7 @@
         , inject_verify_fun/1
         , opt_partial_chain/1
         , opt_verify_fun/1
+        , maybe_drop_incompatible_options/1
         ]).
 
 -include("logger.hrl").
@@ -239,6 +240,23 @@ do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, Cacertfile) ->
                              lists:sublist(public_key:pem_decode(PemBin), Pos, NumOfCerts)],
     emqx_const_v2:make_tls_root_fun(cacert_from_cacertfile, Trusted).
 
+maybe_drop_incompatible_options(Options) ->
+    case proplists:get_value(ssl_options, Options) of
+        undefined ->
+            Options;
+        SslOpts ->
+            maybe_drop_incompatible_options(Options, SslOpts, lists:keyfind(versions, 1, SslOpts))
+    end.
+
+maybe_drop_incompatible_options(Options, _SslOpts, false) ->
+    Options;
+maybe_drop_incompatible_options(Options, SslOpts0, {versions, ['tlsv1.3']}) ->
+    Incompatible = [reuse_sessions, secure_renegotiate, user_lookup_fun, client_renegotiation],
+    SslOpts = lists:filter(fun({K, _V}) -> not lists:member(K, Incompatible) end, SslOpts0),
+    lists:keyreplace(ssl_options, 1, Options, {ssl_options, SslOpts});
+maybe_drop_incompatible_options(Options, _SslOpts, {versions, [_ | _]}) ->
+    Options.
+
 -if(?OTP_RELEASE > 22).
 -ifdef(TEST).
 -include_lib("eunit/include/eunit.hrl").
@@ -261,5 +279,18 @@ drop_tls13_no_versions_cipers_test() ->
 has_tlsv13_cipher(Ciphers) ->
     lists:any(fun(C) -> lists:member(C, Ciphers) end, ?TLSV13_EXCLUSIVE_CIPHERS).
 
+maybe_drop_incompatible_options_test() ->
+    Opts0 = [{ssl_options, [{versions, ['tlsv1.3']}, {ciphers, ?TLSV13_EXCLUSIVE_CIPHERS},
+                            {reuse_sessions, true}, {secure_renegotiate, true},
+                            {user_lookup_fun, fun maybe_drop_incompatible_options/1},
+                            {client_renegotiation, true}]}],
+    Opts = maybe_drop_incompatible_options(Opts0),
+    ?assertNot(lists:member(reuse_sessions, proplists:get_value(ssl_options, Opts))),
+    ?assertNot(lists:member(secure_renegotiate, proplists:get_value(ssl_options, Opts))),
+    ?assertNot(lists:member(user_lookup_fun, proplists:get_value(ssl_options, Opts))),
+    ?assertNot(lists:member(client_renegotiation, proplists:get_value(ssl_options, Opts))),
+    ?assertEqual([{versions, ['tlsv1.3']}, {ciphers, ?TLSV13_EXCLUSIVE_CIPHERS}],
+                 proplists:get_value(ssl_options, Opts)).
+
 -endif. %% TEST
 -endif. %% OTP_RELEASE > 22