A quick Google: [en.wikipedia.org...]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.

So it seems the server will only communicate with HTTPS

That makes sense. I didn't come across that Wikipedia article. Guess I wasn't entering the correct query.

I didn't write this script, so I'm not sure how to force it to communicate over HTTPS.

Am I missing a setting?

 curl_setopt($ch, CURLOPT_VERBOSE, 0);
 curl_setopt($ch, CURLOPT_POST, 0);
 curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
 curl_setopt($ch, CURLOPT_REFERER, '');
 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
 curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0');
 curl_setopt($ch, CURLOPT_HEADER, 1);
 curl_setopt($ch, CURLOPT_COOKIEFILE, xx_COOKIE_FILE);
 curl_setopt($ch, CURLOPT_COOKIEJAR, xx_COOKIE_FILE);

You should be fine simply changing the URL you're fetching to https:// rather than http://

It has always connected to https://

I'd test the script to see what is actually being sent to the server in question.

Try changing curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); to TRUE though , see if that helps.

It's handy to have curl on the command line sometimes to quickly check these things.

For instance:
curl -v [paypal.com...]
works fine. Paypal also serves the "Strict-Transport-Security:" header that insists on HTTPS communication.

Worked via command line.

curl -v [paypal.com...]
* About to connect() to www.paypal.com port 443
* Trying 23.7.66.234... connected
* Connected to www.paypal.com (23.7.66.234) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using RC4-SHA

I changed CURLOPT_SSL_VERIFYPEER to TRUE, still got the failure.
With paypal:

HTTP/1.1 200 OK Server: Apache Strict-Transport-Security: max-age=14400 Strict-Transport-Security: max-age=14400 Content-Type: text/html Date: Fri, 28 Jun 2013 02:58:30 GMT Content-Length: 54 Connection: keep-alive Set-Cookie: X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3D3606826065; domain=.paypal.com; path=/; Secure; HttpOnly Fatal Failure

I did not change anything on my server (unless a curl update had triggered it, possibly) but I'm not too familiar with curl to know what to check.

I quickly scanned through that wiki article and it doesn't seem to suggest there's any particular header or requirement of the client, other than to communicate with HTTPS.

Is it a well known service you're trying to send a request to?

The example above was PayPal:
domain=.paypal.com; path=/; Secure; HttpOnly Fatal Failure

Was that with curl command line or your PHP/curl script? wasn't sure.

Try using CURLOPT_VERBOSE and CURLOPT_STDERR which might shed some light.

[php.net...]

It was the header output.

I got this:
Warning: curl_setopt(): supplied argument is not a valid File-Handle resource in /home/public_html/curl.php on line 209

Line 209:

curl_setopt($ch, CURLOPT_STDERR, 1);

Overall:

$ch = curl_init();
// curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_STDERR, 1);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
curl_setopt($ch, CURLOPT_REFERER, '');
//curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, xx_COOKIE_FILE);
curl_setopt($ch, CURLOPT_COOKIEJAR, xx_COOKIE_FILE);

CURLOPT_STDERR value should be a filename that will log the errors, if any. There's info & examples on the PHP manual page.

Gotcha.

There's quite a bit in the log file, so I'll post the last bit of it (assuming most of it isn't needed?):

* Connection #0 to host www.paypal.com left intact
* Re-using existing connection! (#0) with host (nil)
* Connected to (nil) (23.7.66.234) port 443 (#0)
> POST /cgi-bin/webscr?cmd=_flow&SESSION=[snip]&dispatch=[snip] HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Host: www.paypal.com
Accept: */*
Referer: [paypal.com...]
Cookie: aksession=[snip]; Apache=10.73.8.58.1372395348682522; navlns=0.0; [snip]; navcmd=_ship-now; cookie_check=yes; [snip]
Content-Length: 195
Content-Type: application/x-www-form-urlencoded

* upload completely sent off: 195 out of 195 bytes
< HTTP/1.1 200 OK
< Server: Apache
< Strict-Transport-Security: max-age=14400
< Strict-Transport-Security: max-age=14400
< Content-Type: text/html
< Date: Fri, 28 Jun 2013 04:53:50 GMT
< Content-Length: 54
< Connection: keep-alive
* Replaced cookie X-PP-SILOVER="name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3xx" for domain paypal.com, path /, expire 0
< Set-Cookie: X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3Dxx; domain=.paypal.com; path=/; Secure; HttpOnly
<
* Connection #0 to host (nil) left intact
* Closing connection #0