Thanks everyone! I've responded on both our github issue and the mod_gnutls issue. Basically, we only allow SHA1 in OCSP requests because doing so is profiled by the "lightweight OCSP profile for high-volume environments", which we definitely count as 
See details in the bugs!
4 Likes