tl;dr: The Vianet firewall is trying to do filtering of TLS connections based on the arbitrary and client-controlled host name string and not the destination IP address. It has no network-level routing control at all, it will allow a connection to any host on the internet, but will then terminate it after it sees that it's not going to (strictly, "doesn't look like it's going to") a permitted host. So the author set up a ssh server on the HTTPS port and connected to it with a faked host name.
But seriously folks: this is (1) still a crime in basically all jusisdictions and (2) a crime on an airplane in flight, so have fun in jail.
How is this a crime (in _all_ jurisdictions)? The CFAA is US-only, and few other jurisdictions have as loose terms (or history of abuse) as the CFAA, when it comes to "hacking".
It's straight up unauthorized access to a computer system. They tell you they don't allow it and you have to pay for it, the author clearly knew that, and evaded the protections. Cite me a legal environment where that is not a crime.
Which computer system does this access that the user was unauthorized to access? The user's home server?!
The made-for-DRM CFAA that might classify fooling a flimsy filter as "unauthorized access to a computer system" is very much US-specific. Over here on the other side of the world, I'm thankful I'm not subject to such legislation or judicial system, but to one which still has a sensible definition of "hacking".
Indeed, I was unclear. But the features are tied at the hip. SNI exists because TLS needs a way to discriminate separate certificates for the benefit of requests on the same port using distinct HTTP/1.1 Host headers. In my experience it's absolutely routine to talk about them using the same terminology.
But seriously folks: this is (1) still a crime in basically all jusisdictions and (2) a crime on an airplane in flight, so have fun in jail.