What if it deal with the server side?

[GLingDroid]

Since October 2017,it seems that the GFW deployed a new policy that it analyzed the name of certification from the ACK of server.
If it contained like google.com ,then sent RST to server and dropped all packages from the client to that IP address.

Someone said that it needed to wait for tls1.3 online that encrypted the certification name.

So,does this tool still work?

[gkso]

Thanks for the update on the GFW's evolution. We assume that the GFW has separate TCBs for each direction (outbound: client->server, inbound: server->client), and our current approach can only tear down the outbound TCB. If there's sensitive data in the server's response, it will still trigger RST. In that case, we may either seek server's support for deploying the tool or find some method to tear down the inbound TCB from client-side.

[LGA1150]

It is not like what you think. GFW does NOT filter Server side certificate names, instead it filters SNI in SSL Client Hello request
You can test it by sending an SSL Client Hello request containing filtered SNI domain to another webserver e.g. yahoo.com
curl -kv https://www.google.com --resolve www.google.com:443:206.190.39.42 where 206.190.39.42 is Yahoo's server

[gkso]

I just added the support for HTTPS protocol, so now INTANG can deal with SNI field censorship. But I can see the domain name also appears in the certificate in the ServerHello message, which means the GFW may look into that field in the future (and seems it doesn't do that for now).