AES-CBC-HMAC-SHA2-ETM is fine as a last resort, assuming you have a secure compare function and a CSPRNG so your IVs never repeat for a given key and are unpredictable.
TLS's AES-CBC is MTE not ETM, and that distinction matters [1]. You shouldn't use CBC mode in SSL/TLS. (You also shouldn't be supporting SSL; only TLS.)
But an application-layer AE construction [2] as described in the article is fine.
CBC is not an option that you should be considering in 2019.
https://blog.cloudflare.com/padding-oracles-and-the-decline-...