The problem is that if a way can be found to disrupt the configuration, such as by compromising the certificate chain, then decrypting the message becomes trivially easy.
So reading such a message is usually either impossible, or simple.
You have to understand the purpose of China's Great Firewall. A lot of techies think that it's an attempt at 1984-style total control of information. With this in mind, they see a vessel full of obvious leaks, and can't understand why China does things this way. Blocking any connection you can't spy on is a simple solution to these leaks that any techie could come up with, but China doesn't do it (in general). Why not?
It's because the Great Firewall is not intended to be an instrument of total information control. It's intended as an instrument of broad social influence. The Chinese government does not care if you can use ssh or SSL or whatever to bounce through a proxy in the USA to get to an article about the Tiananmen Square massacre. You want to put in effort to seek out that information, go wild. You don't even need to cover your tracks.
This information is out there. They can't stop it, and they know it, and they don't even try. The purpose of censorship is to shape conversation, not eliminate information. Anyone with a little determination can bypass the firewall and read about whatever censored stuff they're interested in. But the vast majority of people don't have a little determination for this stuff. They might hit a link or perform a search, but when it fails, they'll just move on. Thus, while they can't, don't, and don't even try to stop people from knowing about these things, they can and successfully do stop people in general from thinking about them, and guide their attention to other topics.
China doesn't care about a few people using crypto to bypass their censorship. China does care about attracting foreign business, and if travelers couldn't connect to their VPNs and secure web sites then there would be serious trouble with that.
It doesn't (that we know of), that's pretty much the point of encryption.
Read the excerpt from Schneier's book, presented here:
Apprently they do. Serveral Google domains port 443 were blocked, e.g. https://accounts.google.com so you can't use anything google related, especially Gmail.