> Use encrypt-then-HMAC. Seriously. Yes really. No other choice is defensible in this age. If you think “oh but GCM” look more closely into its design.
There is no problem; it encrypts in counter mode and then adds a MAC. :-)
It's just a specific MAC that has its security properties intended to work with the counter-mode encryption, and lets you use the same key, and basically gets the details right for you. But the motivation for it doing encrypt-then-authenticate instead of vice versa is presumably the same as with separate encryption and HMAC.
What's the problem with GCM?